CVE-2022-0332 — SQL injection in Moodle

Description

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

How to fix CVE-2022-0332

To remediate CVE-2022-0332, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 3.11.5 or later
Packagist/moodle/moodle—upgrade to 3.11.5 or later

Is CVE-2022-0332 being exploited?

Low — EPSS is 3.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.11.0, < 3.11.5
>= 3.11, < 3.11.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-0332
WEBbugzilla.redhat.com/show_bug.cgi?id=2043661
WEBgithub.com/moodle/moodle
WEBgithub.com/moodle/moodle/commit/c7a62a8c82219b50589257f79021da1df1a76808
WEB