Miggo Logo
Miggo Vulnerability Database
CVE-2022-0332

CVE-2022-0332:
SQL injection in Moodle

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-0332
GHSA ID
GHSA-6jhm-4vmx-mr76
EPSS Score
0.88419%
CWE
CWE-89
Published
1/28/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.11, < 3.11.53.11.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of the 'sortorder' parameter in user attempt fetching functionality. The pre-patch code:

  1. Allowed arbitrary SQL fragments in 'sortorder' parameter (PARAM_TEXT instead of specific validation)
  2. Directly concatenated user input into SQL ORDER BY clause without whitelisting
  3. The patch added get_safe_orderby validation restricting allowed fields (id/firstname/lastname) and directions (ASC/DESC)
  4. Test cases verify protection against invalid sort parameters
  5. CWE-89 classification confirms classic SQL injection pattern through direct SQL command element manipulation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Moo*l* in v*rsions *.** to *.**.*. *n SQL inj**tion risk w*s i**nti*i** in t** **p **tivity w** s*rvi** r*sponsi*l* *or **t**in* us*r *tt*mpt **t*.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* t** 'sortor**r' p*r*m*t*r in us*r *tt*mpt **t**in* *un*tion*lity. T** pr*-p*t** *o**: *. *llow** *r*itr*ry SQL *r**m*nts in 'sortor**r' p*r*m*t*r (P*R*M_T*XT inst*** o* sp**i*i* v*li**tion) *. *ir*