Boletines de Vulnerabilidades

MSA-21-0014: Blind SQL injection possible via MNet authentication


Información sobre el sistema

   
Software afectado PHP

Descripción

by Michael Hawkins. An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair.Severity/Risk:SeriousVersions affected:3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versionsVersions fixed:3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18Reported by:Rekter0CVE identifier:CVE-2021-32474Changes

More info:

https://moodle.org/mod/forum/discuss.php?d=422308&parent=1701632

Identificadores estándar

Propiedad Valor
CVE CVE-2021-32474.

Histórico de versiones

Versión Comentario Data
1.0 Advisory issued 2021-05-18
Ministerio de Defensa
CNI
CCN
CCN-CERT