Vulnerable Versions: 2.2 RC2 and probably prior
Tested Version: 2.2 RC2
Advisory Publication: October 30, 2013 [without technical details]
Vendor Notification: October 30, 2013
Public Disclosure: November 27, 2013
Latest Update: November 27, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-6341
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Solution Available
Discovered and Provided: High-Tech Bridge Security Research Lab
High-Tech Bridge Security Research Lab discovered vulnerability in Dokeos, which can be exploited to perform SQL Injection attacks.
1) SQL Injection in Dokeos: CVE-2013-6341
The vulnerability exists due to insufficient validation of "language" HTTP GET parameter passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database and gain complete control over the vulnerable web application.
The following exploitation example displays version of MySQL server:
Currently we are not aware of any official solution for this vulnerability.
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23181-patch.zip
 High-Tech Bridge Advisory HTB23181 - https://www.htbridge.com/advisory/HTB23181 - SQL Injection in Dokeos.
 Dokeos - http://www.dokeos.com/ - Dokeos, the flexible, enterprise-ready e-learning software.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.