CVE-2021-40693: 
PHP vulnerability analysis and mitigation

An authentication bypass vulnerability (CVE-2021-40693) was identified in Moodle's external database authentication functionality. The vulnerability is due to type juggling issues and affects Moodle versions 3.9.x before 3.9.10, 3.10.x before 3.10.7, and 3.11.x before 3.11.3 (CERT-FR).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and no user interaction. The scope is unchanged, with no impact on confidentiality, high impact on integrity, and no impact on availability (NVD). The vulnerability is classified under CWE-287 (Improper Authentication).

The vulnerability could allow an attacker to bypass authentication mechanisms when using external database authentication functionality. The CVSS scoring indicates that while there is no impact on confidentiality or availability, there is a high impact on system integrity (Ubuntu).

Users should upgrade to Moodle versions 3.9.10, 3.10.7, or 3.11.3 or later, depending on their current version branch (CERT-FR).