CVE-2022-30600: 
PHP vulnerability analysis and mitigation

A flaw was discovered in Moodle's login attempt counting mechanism that could allow bypassing the account lockout threshold. The vulnerability (CVE-2022-30600) was reported by Shamim Rezaie and affects Moodle versions 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions. The issue was disclosed on May 17, 2022 (Moodle Forum).

The vulnerability stems from a logic flaw in how Moodle counts failed login attempts, which could result in the account lockout threshold being bypassed. The issue was classified with a CWE-682 (Incorrect Calculation) identifier (NVD CNA Status). The severity of this vulnerability was rated as 'Serious' by Moodle security team (Moodle Forum).

The vulnerability could allow attackers to bypass the account lockout mechanism, potentially enabling brute force attacks against user accounts. This could lead to unauthorized access to user accounts if successful (Red Hat Bugzilla).

The vulnerability has been fixed in Moodle versions 4.0.1, 3.11.7, 3.10.11, and 3.9.14. Users are advised to upgrade to these patched versions to protect against this security issue. The fix can be found in the Moodle git repository under reference MDL-73736 (Moodle Git).