cbcvebase.
CVE-2022-0332
published 2022-01-25

CVE-2022-0332: A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
44.92%
98.6th percentile
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

Affected

3 ranges
VendorProductVersion rangeFixed in
moodlemoodle
moodlemoodle>= 3.11 < 3.11.53.11.5
moodlemoodle>= 3.11.0 < 3.11.53.11.5

Detection & IOCsextracted from sources · hover to see the quote

url/moodle-3.11.4/webservice/rest/server.php?wstoken=98f7d8003180afbd46ee160fdc05a4fc&wsfunction=mod_h5pactivity_get_user_attempts&moodlewsrestformat=json&h5pactivityid=1&sortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29
path/webservice/rest/server.php
otherwsfunction=mod_h5pactivity_get_user_attempts
othersortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29
  • Exploit targets the `mod_h5pactivity_get_user_attempts` web service function via GET request to `/webservice/rest/server.php`; monitor for SQL injection payloads in the `sortorder` parameter of this endpoint.
  • The PoC injects a blind boolean-based SQL payload into the `sortorder` GET parameter using CASE/WHEN/ORD/MID/IFNULL/CAST constructs; detect URL-encoded SQL keywords (SELECT, CASE, WHEN, UNION, CAST, DATABASE) in the `sortorder` parameter of requests to `server.php`.
  • The exploit PoC uses a notably outdated and specific User-Agent string (`Firefox/22.0`, dated 2013) which is anomalous for legitimate Moodle web service API calls; flag this UA in combination with requests to the h5pactivity web service endpoint.
  • Attackers may use sqlmap to automate SQL injection exploitation against this CVE; monitor for sqlmap-generated payloads and its default User-Agent in traffic targeting Moodle web service endpoints.
  • The vulnerable code path is in `mod/h5pactivity/classes/external/get_user_attempts.php`; file integrity monitoring or patch verification should target this file.
  • ·The `wstoken` value in the PoC (`98f7d8003180afbd46ee160fdc05a4fc`) is specific to the researcher's test environment and will differ in real-world attacks; do not rely on this token value as a detection indicator.
  • ·The Host header value (`local.numanturle.com`) in the PoC is a local test environment artifact and is not indicative of production attack traffic.
  • ·Affected versions are Moodle 3.11 through 3.11.4 only; detections scoped to this CVE should be validated against the target Moodle version to reduce false positives on patched instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.