Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-078
- Project: Moodle Course List module (third-party module)
- Version: 6.x
- Date: 2009-October-21
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
The Moodle Course List module provides a block which displays links to a user's Moodle courses. In some cases the module does not properly sanitize user input, leading to a SQL Injection (SQL Injection) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
- Moodle Course List module versions 6.x prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Moodle Course List module, there is nothing you need to do.
Install the latest version:
- If you use the Moodle Course List module for Drupal 6.x upgrade to Moodle Course List module 6.x-1.2
See also the Moodle Course List module project page.
Adam Gerson, the module maintainer.
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.