CVE-2022-0332
published 2022-01-25CVE-2022-0332: A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
44.92%
98.6th percentile
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | — | — |
| moodle | moodle | >= 3.11 < 3.11.5 | 3.11.5 |
| moodle | moodle | >= 3.11.0 < 3.11.5 | 3.11.5 |
Detection & IOCsextracted from sources · hover to see the quote
url/moodle-3.11.4/webservice/rest/server.php?wstoken=98f7d8003180afbd46ee160fdc05a4fc&wsfunction=mod_h5pactivity_get_user_attempts&moodlewsrestformat=json&h5pactivityid=1&sortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29↗
othersortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29↗
- →Exploit targets the `mod_h5pactivity_get_user_attempts` web service function via GET request to `/webservice/rest/server.php`; monitor for SQL injection payloads in the `sortorder` parameter of this endpoint. ↗
- →The PoC injects a blind boolean-based SQL payload into the `sortorder` GET parameter using CASE/WHEN/ORD/MID/IFNULL/CAST constructs; detect URL-encoded SQL keywords (SELECT, CASE, WHEN, UNION, CAST, DATABASE) in the `sortorder` parameter of requests to `server.php`. ↗
- →The exploit PoC uses a notably outdated and specific User-Agent string (`Firefox/22.0`, dated 2013) which is anomalous for legitimate Moodle web service API calls; flag this UA in combination with requests to the h5pactivity web service endpoint. ↗
- →Attackers may use sqlmap to automate SQL injection exploitation against this CVE; monitor for sqlmap-generated payloads and its default User-Agent in traffic targeting Moodle web service endpoints. ↗
- →The vulnerable code path is in `mod/h5pactivity/classes/external/get_user_attempts.php`; file integrity monitoring or patch verification should target this file. ↗
- ·The `wstoken` value in the PoC (`98f7d8003180afbd46ee160fdc05a4fc`) is specific to the researcher's test environment and will differ in real-world attacks; do not rely on this token value as a detection indicator. ↗
- ·The Host header value (`local.numanturle.com`) in the PoC is a local test environment artifact and is not indicative of production attack traffic. ↗
- ·Affected versions are Moodle 3.11 through 3.11.4 only; detections scoped to this CVE should be validated against the target Moodle version to reduce false positives on patched instances. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SQL injection in Moodle
ghsa·2022-01-28
CVE-2022-0332 [CRITICAL] CWE-89 SQL injection in Moodle
SQL injection in Moodle
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
OSV
SQL injection in Moodle
osv·2022-01-28
CVE-2022-0332 [CRITICAL] SQL injection in Moodle
SQL injection in Moodle
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
OSV
CVE-2022-0332: A flaw was found in Moodle in versions 3
osv·2022-01-25·CVSS 9.8
CVE-2022-0332 [CRITICAL] CVE-2022-0332: A flaw was found in Moodle in versions 3
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
No detection rules found.
Unit42
Zero-Day Exploit Detection Using Machine Learning
blogs_unit42·2022-09-16
Zero-Day Exploit Detection Using Machine Learning
Threat Research Center
Threat Research
Vulnerabilities
## Zero-Day Exploit Detection Using Machine Learning
Jin Chen
Lei Xu
Andrew Guan
Zhibin Zhang
Yu Fu
Published: September 16, 2022
Threat Research
Vulnerabilities
Command injection
Deep learning
Machine Learning
Network security
SQL injection
Threat detection
Zero-days
## Executive Summary
Code injection is an attack technique widely used by threat actors to launch arbitrary code execution on victim machines through vulnerable applications. In 2021, the Open Web Application Security Project (OWASP) ranked it as third in the top 10 web application security risks .
Given the popularity of code injection in exploits, signatures with pattern matches are commonly used to identify the anomalies in network traffic (mos
Unit42
Zero-Day Exploit Detection Using Machine Learning
blogs_unit42·2022-09-16
Zero-Day Exploit Detection Using Machine Learning
## Executive Summary
Code injection is an attack technique widely used by threat actors to launch arbitrary code execution on victim machines through vulnerable applications. In 2021, the Open Web Application Security Project (OWASP) ranked it as third in the top 10 web application security risks.
Given the popularity of code injection in exploits, signatures with pattern matches are commonly used to identify the anomalies in network traffic (mostly URI path, header string, etc.). However, injections can happen in numerous forms, and a simple injection can easily evade a signature-based solution by adding extraneous strings. Therefore, signature-based solutions will often fail on the variants of the proof of concept (PoC) of Common Vulnerabilities and Exposures (CVEs). In this blog, we e
2022-01-25
Published