cbcvebase.
CVE-2017-2641
published 2017-03-26

CVE-2017-2641: In Moodle 2.x and 3.x, SQL injection can occur via user preferences.

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.53%
96.2th percentile
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle

Detection & IOCsextracted from sources · hover to see the quote

url/blocks/course_overview/save.php
url/lib/ajax/service.php
url/my/
cookieMoodleSession
commandcore_user_update_user_preferences
othercourse_overview_course_order
  • Monitor POST requests to /lib/ajax/service.php containing 'core_user_update_user_preferences' with a 'course_overview_course_order' preference value that contains a PHP serialized payload (starts with 'a:' or 'O:' patterns indicating object/array serialization).
  • Alert on POST to /blocks/course_overview/save.php with 'sortorder[]' set to 0, which resets the course_blocks sortorder to trigger the legacy user preference code path used by the exploit.
  • Any authenticated (non-admin) user modifying the 'config' table rows (e.g., row 25 for 'siteadmins') via the SQL injection vector should be treated as a privilege escalation attempt.
  • Watch for a GET to /admin/index.php?cache=0&confirmplugincheck=1 immediately following AJAX calls to service.php from a non-admin session, indicating post-exploitation admin panel access.
  • ·The row ID for the 'siteadmins' config entry (used to escalate privileges) is installation-dependent and may not always be row 25.
  • ·The exploit requires the attacker to already be a registered (authenticated) user on the Moodle instance; unauthenticated exploitation is not possible.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.