CVE-2016-7919

Published on: 10/28/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:05 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Moodle from Moodle contain the following vulnerability:

** DISPUTED ** Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields."

  • CVE-2016-7919 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
[MDL-56298] CVE 2016-7919 - SQLi on Moodle installation (Latest Version) - Moodle Tracker Issue Tracking
tracker.moodle.org
text/html
URL Logo MISC tracker.moodle.org/browse/MDL-56298
Moodle CVE-2016-7919 Information Disclosure Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 93971
Moodle 3.1.2 - Installation process SQLi - YouTube Exploit
Third Party Advisory
www.youtube.com
text/html
URL Logo MISC www.youtube.com/watch?v=pQS1GdQ3CBc

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationMoodleMoodle3.1.2AllAllAll
ApplicationMoodleMoodle3.1.2AllAllAll
  • cpe:2.3:a:moodle:moodle:3.1.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:moodle:moodle:3.1.2:*:*:*:*:*:*:*: