• Advisory ID: DRUPAL-SA-CONTRIB-2009-078
  • Project: Moodle Course List module (third-party module)
  • Version: 6.x
  • Date: 2009-October-21
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection


The Moodle Course List module provides a block which displays links to a user's Moodle courses. In some cases the module does not properly sanitize user input, leading to a SQL Injection (SQL Injection) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.

Versions affected

  • Moodle Course List module versions 6.x prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Moodle Course List module, there is nothing you need to do.


Install the latest version:

See also the Moodle Course List module project page.

Reported by

Charlie Gordon

Fixed by

Adam Gerson, the module maintainer.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.