CVE-2023-30944: Moodle: minor sql injection risk in external wiki method for listing pages
First published: Fri Apr 21 2023(Updated: )
A limited SQL injection risk was identified in functionality used by the Wiki activity when listing pages. Versions affected: 4.1 to 4.1.2, 4.0 to 4.0.7, 3.11 to 3.11.13, 3.9 to 3.9.20 and earlier unsupported versions Versions fixed: 4.1.3, 4.0.8, 3.11.14 and 3.9.21
Credit: patrick@puiterwijk.org patrick@puiterwijk.org patrick@puiterwijk.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Moodle Moodle | >=3.9.0<3.9.21 | |
| Moodle Moodle | >=3.11.0<3.11.14 | |
| Moodle Moodle | >=4.0.0<4.0.8 | |
| Moodle Moodle | >=4.1.0<4.1.3 | |
| Fedoraproject Extra Packages For Enterprise Linux | =7.0 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| composer/moodle/moodle | <4.2.0-rc2 | 4.2.0-rc2 |
| redhat/moodle | <4.1.3 | 4.1.3 |
| redhat/moodle | <4.0.8 | 4.0.8 |
| redhat/moodle | <3.11.14 | 3.11.14 |
| redhat/moodle | <3.9.21 | 3.9.21 |
| >=3.9.0<3.9.21 | ||
| >=3.11.0<3.11.14 | ||
| >=4.0.0<4.0.8 | ||
| >=4.1.0<4.1.3 | ||
| =7.0 | ||
| =36 | ||
| =37 | ||
| =38 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://moodle.org/mod/forum/discuss.php?d=446286
- https://bugzilla.redhat.com/show_bug.cgi?id=2188606
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS/
- https://nvd.nist.gov/vuln/detail/CVE-2023-30944
- https://github.com/moodle/moodle/commit/5521d1d6e8bb8bebb76ad8154095f6b18ea26e7f
- https://github.com/advisories/GHSA-7mmc-22g7-3xq2 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2192471
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2192472
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2192473
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2192474
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS
Frequently Asked Questions
What is the vulnerability ID for this Moodle vulnerability?
The vulnerability ID for this Moodle vulnerability is CVE-2023-30944.
What is the severity of CVE-2023-30944?
CVE-2023-30944 has a severity of 7.3 (high).
Which software versions are affected by CVE-2023-30944?
The affected software versions for CVE-2023-30944 are Moodle 3.9.0 to 3.9.21, Moodle 3.11.0 to 3.11.14, Moodle 4.0.0 to 4.0.8, Moodle 4.1.0 to 4.1.3, and Fedora Extra Packages For Enterprise Linux 7.0, Fedora 36, Fedora 37, Fedora 38.
How can a remote attacker exploit CVE-2023-30944?
A remote attacker can exploit CVE-2023-30944 by sending a specially crafted request to the affected application and execute limited SQL commands within the application database.
Are there any fixes or patches available for CVE-2023-30944?
Yes, fixes or patches are available for CVE-2023-30944. It is advised to update to Moodle 3.9.22, Moodle 3.11.15, Moodle 4.0.9, Moodle 4.1.4, or later versions.
- collector/nvd-latest
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-30944
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7mmc-22g7-3xq2
- agent/last-modified-date
- agent/references
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- collector/github-advisory
- vendor/moodle
- canonical/moodle moodle
- version/moodle moodle/3.9.0
- version/moodle moodle/3.11.0
- version/moodle moodle/4.0.0
- version/moodle moodle/4.1.0
- vendor/fedoraproject
- canonical/fedoraproject extra packages for enterprise linux
- version/fedoraproject extra packages for enterprise linux/7.0
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/redhat
- package-manager/composer