MSA-22-0005: SQL injection risk in Badges criteria code

by Michael Hawkins.  

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

NOTE: Please pay particular attention to this fix. Information was recently released online about this vulnerability by third parties, so please upgrade or patch as soon as you are able to. We prepared the patch for this as soon as we became aware of the issue, to ensure a fix was available for this release.
It is important to reiterate that this vulnerability is only accessible by teachers/managers/admins by default, because it requires the capability to add and enable badge criteria. As mentioned in the workaround listed below, this can be mitigated (on all non-admin users) by removing the relevant capability until the patch is applied.

Versions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed:3.11.6, 3.10.10 and 3.9.13
Workaround:Remove the moodle/badges:configurecriteria capability from users to prevent them accessing the affected functionality until the patch is applied.
CVE identifier:CVE-2022-0983
Changes (master):
Tracker issue:MDL-74074 SQL injection risk in Badges criteria code

Read more