CVE-2021-36393
published 2023-03-06CVE-2021-36393: In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
52.30%
98.8th percentile
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | < 3.9.8 | 3.9.8 |
| moodle | moodle | — | — |
| moodle | moodle | >= 0 < 3.9.8 | 3.9.8 |
| moodle | moodle | >= 3.10.0 < 3.10.5 | 3.10.5 |
| moodle | moodle | >= 3.10.0-beta < 3.10.5 | 3.10.5 |
| moodle | moodle | >= 3.11.0 < 3.11.1 | 3.11.1 |
| moodle | moodle | >= 3.11.0-beta < 3.11.1 | 3.11.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification↗
commandfullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)↗
- →Monitor POST requests to /moodle/lib/ajax/service.php with the 'info' parameter set to 'core_course_get_enrolled_courses_by_timeline_classification' — this is the specific AJAX endpoint targeted by the SQLi exploit. ↗
- →Inspect the JSON 'sort' field in POST bodies to this endpoint for SQL keywords such as SLEEP, LIKE, SELECT, OR, and references to mdl_user or database() — these are the injection patterns used in the exploit. ↗
- →Alert on response time anomalies (>= 3 seconds) for requests to the AJAX service endpoint, as the exploit uses time-based blind SQLi with SLEEP(3) as the oracle. ↗
- →The exploit requires an authenticated session (MoodleSession cookie) and uses the X-Requested-With: XMLHttpRequest header — correlate authenticated sessions making repeated slow requests to the AJAX endpoint as a detection signal. ↗
- →The exploit iterates up to 50 characters per value and cycles through the full alphanumeric + special character set, resulting in a high volume of near-identical POST requests to the same endpoint in rapid succession — flag this pattern as brute-force SQLi exfiltration. ↗
- ·The exploit targets Moodle version 3.10.1 specifically; the SQL injection is in the library fetching a user's recent courses, triggered via the 'sort' parameter of the core_course_get_enrolled_courses_by_timeline_classification AJAX method. ↗
- ·Exploitation requires a valid authenticated session (sesskey and MoodleSession cookie), meaning the attacker must already have a low-privilege Moodle account — unauthenticated exploitation is not possible. ↗
- ·The injection is blind and time-based (no direct output), so detection via response content inspection alone is insufficient — timing-based detection or WAF rules on the 'sort' parameter payload are required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Moodle SQL Injection vulnerability
ghsa·2023-03-06
CVE-2021-36393 [CRITICAL] CWE-89 Moodle SQL Injection vulnerability
Moodle SQL Injection vulnerability
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
OSV
CVE-2021-36393: In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses
osv·2023-03-06·CVSS 9.8
CVE-2021-36393 [CRITICAL] CVE-2021-36393: In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
OSV
Moodle SQL Injection vulnerability
osv·2023-03-06
CVE-2021-36393 [CRITICAL] Moodle SQL Injection vulnerability
Moodle SQL Injection vulnerability
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
No detection rules found.
No writeups or analysis indexed.
2023-03-06
Published