Researchers have discovered serious vulnerabilities in Moodle, the popular open-source learning platform.

The first serious flaw can be exploited by an authenticated attacker to conduct an SQL injection attack via user preferences and add a new administrator user to the system. Once the attacker has an admin account on the system, they can execute arbitrary code by uploading a new plugin or a template to the server.

This vulnerability affects Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and older versions. A fix has been released for versions 3.2.2, 3.1.5, 3.0.9 and 2.7.19.

Moodle developers noted that the flaw can only be exploited in Moodle versions prior to 3.2 by users with manager or admin rights. In version 3.2, the attack works with any type of user account, including teacher and student accounts.

The second serious flaw patched by Moodle last week has been described as a cross-site scripting (XSS) flaw in the functionality that allows users to attach files for evidence of prior learning.

“Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions,” Moodle wrote in its advisory.

The flaw only affects versions 3.2 to 3.2.1 and 3.1 to 3.1.4.