CVE-2023-5550: 
PHP vulnerability analysis and mitigation

CVE-2023-5550 is a vulnerability in Moodle that was discovered in 2023. In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilize a local file include to achieve remote code execution. This vulnerability affects Moodle versions 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions (Moodle Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability involves a local file include (LFI) issue that could lead to remote code execution in misconfigured shared hosting environments (NVD).

If successfully exploited, this vulnerability allows an attacker to achieve remote code execution on the affected system. The critical CVSS score indicates high impacts on confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been fixed in Moodle versions 4.2.3, 4.1.6, 4.0.11, 3.11.17, and 3.9.24. Organizations running affected versions should upgrade to these patched versions (Moodle Advisory).