CVE-2009-4305

SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 allows remote authenticated users to execute arbitrary SQL commands via vectors related to an "escaping issue when processing AICC CRS file (Course_Title)."

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://moodle.org/mod/forum/discuss.php?d=139120	Patch Vendor Advisory
http://docs.moodle.org/en/Moodle_1.9.7_release_notes	Patch
http://www.vupen.com/english/advisories/2009/3455	Patch Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html
http://www.securityfocus.com/bid/37244	Patch
http://secunia.com/advisories/37614	Vendor Advisory
http://docs.moodle.org/en/Moodle_1.8.11_release_notes	Patch
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00751.html

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle:1.8.2:::::::*
	cpe:2.3:a:moodle:moodle:1.8.3:::::::*
	cpe:2.3:a:moodle:moodle:1.8.4:::::::*
	cpe:2.3:a:moodle:moodle:1.8.5:::::::*
	cpe:2.3:a:moodle:moodle:1.8.7:::::::*
	cpe:2.3:a:moodle:moodle:1.8.1:::::::*
	cpe:2.3:a:moodle:moodle:1.8.9:::::::*
	cpe:2.3:a:moodle:moodle:1.9.5:::::::*
	cpe:2.3:a:moodle:moodle:1.9.1:::::::*
	cpe:2.3:a:moodle:moodle:1.9.2:::::::*
	cpe:2.3:a:moodle:moodle:1.9.3:::::::*
	cpe:2.3:a:moodle:moodle:1.9.4:::::::*
	cpe:2.3:a:moodle:moodle:1.8.8:::::::*
	cpe:2.3:a:moodle:moodle:1.9.6:::::::*
	cpe:2.3:a:moodle:moodle:1.8.10:::::::*

Information

Published : 2009-12-15 17:30

Updated : 2020-12-01 06:43

NVD link : CVE-2009-4305

Mitre link : CVE-2009-4305

JSON object : View

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Advertisement

Products Affected

moodle

moodle

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://moodle.org/mod/forum/discuss.php?d=139120", "name": "http://moodle.org/mod/forum/discuss.php?d=139120", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://docs.moodle.org/en/Moodle_1.9.7_release_notes", "name": "http://docs.moodle.org/en/Moodle_1.9.7_release_notes", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://www.vupen.com/english/advisories/2009/3455", "name": "ADV-2009-3455", "tags": ["Patch", "Vendor Advisory"], "refsource": "VUPEN"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html", "name": "FEDORA-2009-13040", "tags": [], "refsource": "FEDORA"}, {"url": "http://www.securityfocus.com/bid/37244", "name": "37244", "tags": ["Patch"], "refsource": "BID"}, {"url": "http://secunia.com/advisories/37614", "name": "37614", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://docs.moodle.org/en/Moodle_1.8.11_release_notes", "name": "http://docs.moodle.org/en/Moodle_1.8.11_release_notes", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html", "name": "FEDORA-2009-13065", "tags": [], "refsource": "FEDORA"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00751.html", "name": "FEDORA-2009-13080", "tags": [], "refsource": "FEDORA"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 allows remote authenticated users to execute arbitrary SQL commands via vectors related to an \"escaping issue when processing AICC CRS file (Course_Title).\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-89"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-4305", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2009-12-16T01:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2020-12-01T14:43Z"}