Description
badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.
Remediation
References
Related Vulnerabilities
WordPress Deserialization of Untrusted Data Vulnerability (CVE-2020-28032)
WordPress 3.1.3 Multiple SQL Injection Vulnerabilities (3.1 - 3.1.3)
Moodle Improper Input Validation Vulnerability (CVE-2019-3847)
WordPress Plugin Donorbox-Free Recurring Donation Form Cross-Site Scripting (7.1.1)
Drupal Core 4.7.x Cross-Site Request Forgery (4.7.0 - 4.7.10)