CVE-2022-30599: SQL injection risk in badge award criteria

An SQL injection risk was identified in Badges code relating to configuring criteria.

NOTE: in Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, access to this vulnerability was available to site administrators only. In earlier versions, access to the relevant capability was also limited to teachers and managers by default.

Severity/Risk:

Serious

Versions affected:

4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions

Versions fixed:

4.0.1, 3.11.7, 3.10.11 and 3.9.14

Reported by:

Michael Dunstan

Workaround:

In versions earlier than Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, remove the moodle/badges:configurecriteria capability from users to prevent them accessing the affected functionality until the patch is applied (in newer versions this is not necessary).

CVE identifier:

CVE-2022-30599

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74333

Tracker issue:

MDL-74333 SQL injection risk in badge award criteria