CVE-2023-35132: 
PHP vulnerability analysis and mitigation

A limited SQL injection vulnerability (CVE-2023-35132) was identified on the Mnet SSO access control page in Moodle. The vulnerability affects multiple Moodle versions including 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21, and earlier unsupported versions. The issue was discovered by Paul Holden and was publicly disclosed on June 19, 2023 (Moodle Forum).

The vulnerability is classified as a SQL injection risk with a CVSS v3.1 base score of 6.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and no user interaction, with potential impacts to confidentiality, integrity, and availability all rated as low (NVD).

The vulnerability could potentially allow attackers to execute SQL injection attacks through the Mnet SSO access control page, potentially compromising the confidentiality, integrity, and availability of the affected system, though all these impacts are rated as low according to the CVSS score (NVD).

The vulnerability has been fixed in Moodle versions 4.2.1, 4.1.4, 4.0.9, 3.11.15, and 3.9.22. Users are advised to upgrade to these patched versions to mitigate the risk (Moodle Forum).