CVE-2023-1402: 
PHP vulnerability analysis and mitigation

CVE-2023-1402 is a security vulnerability discovered in Moodle's course participation report functionality. The vulnerability was identified on March 14, 2023, affecting Moodle versions 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19, and earlier unsupported versions. The issue was reported by Chris Pratt and involves insufficient access control checks in the course participation report feature (Moodle Forum).

The vulnerability stems from inadequate access control mechanisms in Moodle's course participation report functionality. The system failed to implement proper checks to prevent the display of roles that users should not have access to view. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality: Low, Integrity: None, Availability: None (Ubuntu Security).

The vulnerability allows unauthorized users to view role information in the course participation report that they should not have access to, potentially exposing sensitive organizational structure information (Moodle Forum).

The vulnerability has been fixed in Moodle versions 4.1.2, 4.0.7, 3.11.13, and 3.9.20. Organizations running affected versions should upgrade to these patched versions to address the security issue (Moodle Forum).