CVE-2021-36393: 
PHP vulnerability analysis and mitigation

A serious SQL injection vulnerability was identified in Moodle's library functionality that fetches a user's recent courses. The vulnerability, tracked as CVE-2021-36393, was discovered by security researcher 0xkasper and publicly disclosed on July 19, 2021. The affected versions include Moodle 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7, and earlier unsupported versions (Moodle Forum).

The vulnerability received a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

The SQL injection vulnerability could allow attackers to execute arbitrary SQL commands on the underlying database. Given the CVSS metrics, successful exploitation could lead to unauthorized access to sensitive data, manipulation of database contents, and potential disruption of service availability (NVD).

The vulnerability has been fixed in Moodle versions 3.11.1, 3.10.5, and 3.9.8. Organizations running affected versions should upgrade to these patched versions immediately. The fix can be tracked through the Moodle git repository under reference MDL-71242 (Moodle Forum).