CVE-2021-36402: 
PHP vulnerability analysis and mitigation

CVE-2021-36402 affects Moodle, an open-source learning management system. The vulnerability was discovered in users' names requiring additional sanitizing in the account confirmation email, which could lead to a self-registration phishing risk. The issue was reported by Babar Khan Akhunzada and was fixed in Moodle versions 3.11.1, 3.10.5, and 3.9.8 (Moodle Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue specifically relates to insufficient sanitization of user names in the account confirmation email system. For sites using customized 'emailconfirmation' language strings, administrators need to remove the placeholder {$a->firstname} to implement the fix (NVD).

The vulnerability could potentially be exploited for phishing attacks through the self-registration process. The impact is primarily focused on the integrity of email communications, with no direct effect on confidentiality or availability of the system (Moodle Advisory).

The vulnerability has been patched in Moodle versions 3.11.1, 3.10.5, and 3.9.8. Organizations using affected versions should upgrade to these patched versions. For those using customized email confirmation messages, the placeholder {$a->firstname} needs to be removed from the emailconfirmation language string (Moodle Advisory).