CVE-2023-30944: 
PHP vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2023-30944) was discovered in Moodle's Wiki activity functionality. The vulnerability exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. The vulnerability affects Moodle versions 4.1 to 4.1.2, 4.0 to 4.0.7, 3.11 to 3.11.13, 3.9 to 3.9.20 and earlier unsupported versions (Moodle Forum).

The vulnerability stems from insufficient sanitization of user-supplied data in the external Wiki method used for listing pages. This security flaw allows a remote attacker to send specially crafted requests to the affected application and execute limited SQL commands within the application database. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) by NIST with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

If exploited, this vulnerability could allow an attacker to execute limited SQL commands within the application database, potentially leading to unauthorized access to data, data manipulation, or other database-related compromises (NVD).

The vulnerability has been fixed in Moodle versions 4.1.3, 4.0.8, 3.11.14, and 3.9.21. Users are advised to upgrade to these patched versions to protect against this vulnerability. The fix can be found in the Moodle git repository (Moodle Git).