Total vulnerabilities in the database
badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.
Software | From | Fixed in |
---|---|---|
moodle / moodle | 2.5.1 | 2.5.1.x |
moodle / moodle | 2.5.0 | 2.5.0.x |