cbcvebase.
CVE-2021-36393
published 2023-03-06

CVE-2021-36393: In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
52.30%
98.8th percentile
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

Affected

7 ranges
VendorProductVersion rangeFixed in
moodlemoodle< 3.9.83.9.8
moodlemoodle
moodlemoodle>= 0 < 3.9.83.9.8
moodlemoodle>= 3.10.0 < 3.10.53.10.5
moodlemoodle>= 3.10.0-beta < 3.10.53.10.5
moodlemoodle>= 3.11.0 < 3.11.13.11.1
moodlemoodle>= 3.11.0-beta < 3.11.13.11.1

Detection & IOCsextracted from sources · hover to see the quote

url/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification
path/moodle/lib/ajax/service.php
commandfullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)
commandfullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)
  • Monitor POST requests to /moodle/lib/ajax/service.php with the 'info' parameter set to 'core_course_get_enrolled_courses_by_timeline_classification' — this is the specific AJAX endpoint targeted by the SQLi exploit.
  • Inspect the JSON 'sort' field in POST bodies to this endpoint for SQL keywords such as SLEEP, LIKE, SELECT, OR, and references to mdl_user or database() — these are the injection patterns used in the exploit.
  • Alert on response time anomalies (>= 3 seconds) for requests to the AJAX service endpoint, as the exploit uses time-based blind SQLi with SLEEP(3) as the oracle.
  • The exploit requires an authenticated session (MoodleSession cookie) and uses the X-Requested-With: XMLHttpRequest header — correlate authenticated sessions making repeated slow requests to the AJAX endpoint as a detection signal.
  • The exploit iterates up to 50 characters per value and cycles through the full alphanumeric + special character set, resulting in a high volume of near-identical POST requests to the same endpoint in rapid succession — flag this pattern as brute-force SQLi exfiltration.
  • ·The exploit targets Moodle version 3.10.1 specifically; the SQL injection is in the library fetching a user's recent courses, triggered via the 'sort' parameter of the core_course_get_enrolled_courses_by_timeline_classification AJAX method.
  • ·Exploitation requires a valid authenticated session (sesskey and MoodleSession cookie), meaning the attacker must already have a low-privilege Moodle account — unauthenticated exploitation is not possible.
  • ·The injection is blind and time-based (no direct output), so detection via response content inspection alone is insufficient — timing-based detection or WAF rules on the 'sort' parameter payload are required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.