Miggo Logo
Miggo Vulnerability Database
CVE-2023-28329

CVE-2023-28329:
Moodle SQL Injection vulnerability

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-28329
GHSA ID
GHSA-72w2-j52c-7682
EPSS Score
0.53811%
CWE
CWE-89
Published
3/23/2023
Updated
4/19/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 4.1.0, < 4.1.24.1.2
moodle/moodlecomposer>= 4.0.0, < 4.0.74.0.7
moodle/moodlecomposer>= 3.11.0, < 3.11.133.11.13
moodle/moodlecomposer< 3.9.203.9.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing validation of user-controlled 'standardfield' parameter in profile availability conditions. The patch added validation through get_standard_profile_fields() and checks via array_key_exists. The filter_user_list and get_user_list_sql functions directly used the unvalidated field name in SQL queries (visible in pre-patch code's $DB->get_records_select and WHERE clause construction). get_description had a secondary exposure but wasn't the primary injection vector. The high confidence comes from the patch's security-focused validation being added precisely to these SQL-handling functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Insu**i*i*nt v*li**tion o* pro*il* *i*l* *v*il**ility *on*ition r*sult** in *n SQL inj**tion risk (*y ****ult only *v*il**l* to t*****rs *n* m*n***rs).

Reasoning

T** vuln*r**ility st*mm** *rom missin* v*li**tion o* us*r-*ontroll** 'st*n**r**i*l*' p*r*m*t*r in pro*il* *v*il**ility *on*itions. T** p*t** ***** v*li**tion t*rou** **t_st*n**r*_pro*il*_*i*l*s() *n* ****ks vi* *rr*y_k*y_*xists. T** *ilt*r_us*r_list