- Advisory ID: DRUPAL-SA-CONTRIB-2009-078
- Project: Moodle Course List module (third-party module)
- Version: 6.x
- Date: 2009-October-21
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
Description
The Moodle Course List module provides a block which displays links to a user's Moodle courses. In some cases the module does not properly sanitize user input, leading to a SQL Injection (SQL Injection) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
Versions affected
- Moodle Course List module versions 6.x prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Moodle Course List module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Moodle Course List module for Drupal 6.x upgrade to Moodle Course List module 6.x-1.2
See also the Moodle Course List module project page.
Reported by
Fixed by
Adam Gerson, the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.