Vulnerability Bulletins

MSA-23-0004: Authenticated SQL injection via availability check

System information

Affected software PHP


di Michael Hawkins. Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).Severity/Risk:SeriousVersions affected:4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versionsVersions fixed:4.1.2, 4.0.7, 3.11.13 and 3.9.20Reported by:Vincent Schneider (cli-ish)CVE identifier:CVE-2023-28329Changes

More info:

Standar resources

Property Value
CVE CVE-2023-28329.

Version history

Version Comments Date
1.0 Advisory issued 2023-04-28
Ministerio de Defensa
Presidencia española. Consejo de la Unión Europea