CVE-2022-0983 — SQL Injection in Moodle

Description

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

How to fix CVE-2022-0983

To remediate CVE-2022-0983, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 3.9.13 or later
Packagist/moodle/moodle—upgrade to 3.11.6 or later

Is CVE-2022-0983 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6
>= 3.11.0, < 3.11.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-0983
PATCHgithub.com/moodle/moodle
WEBbugzilla.redhat.com/show_bug.cgi?id=2064119
WEBgithub.com/moodle/moodle/commit/c2794752ea3cdda2d64a0651da08b2cdf730d9f1