CVE-2021-36393

Vulnerability

Overview

CVE-2021-36393 identifies an SQL injection risk in Moodle's codebase, specifically within the library function responsible for retrieving a user's recent courses. The flaw allows an attacker to inject arbitrary SQL code into a query, which can lead to unauthorized access to or manipulation of the database. The root cause stems from insufficient sanitization or inadequate use of parameterized queries in that particular library function.

Exploitation

Scenario

To exploit this vulnerability, an attacker must be an authenticated user of the Moodle platform. The attack vector is local to the application's web interface, meaning no special network position is required beyond normal access to the Moodle site. The attacker can craft a malicious request to the recent courses endpoint, embedding SQL code in a parameter that is not properly escaped. This can be done without needing any additional privileges beyond those of a standard user.

Impact

Successful exploitation allows an attacker to read, modify, or delete data from the Moodle database. The attacker could potentially retrieve sensitive information such as user credentials, course content, or other personal data. Additionally, they may be able to escalate privileges or perform other actions depending on the database user's permissions. The integrity and confidentiality of the Moodle instance are at risk.

Mitigation

The Moodle project has addressed this issue in a security release. Administrators should upgrade to the latest version of Moodle that contains the fix for CVE-2021-36393. As of the publication date (2023-03-06), the patch is available via the official Moodle forum [1] and the source code repository [2]. No workaround is provided, so updating is strongly recommended.