CVE-2023-5551: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in Moodle's forum summary report functionality where Separate Groups mode restrictions were not properly enforced. The vulnerability, identified as CVE-2023-5551, was reported by Fabián Glagovsky and affects multiple Moodle versions from 3.9 through 4.2.2. The issue was disclosed on October 17, 2023, and allows unauthorized access to user information from other groups (Moodle Advisory).

The vulnerability stems from a failure to honor Separate Groups mode restrictions in the forum summary report functionality. This implementation flaw results in the display of users from other groups when they should be restricted. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating local access requirements and low severity impact (NVD).

The primary impact of this vulnerability is the potential exposure of user information to unauthorized parties within the same Moodle instance. When exploited, the flaw allows users to view information about participants from other groups in the forum summary report, despite the Separate Groups mode restrictions that should prevent such access (Moodle Advisory).

The vulnerability has been fixed in Moodle versions 4.2.3, 4.1.6, 4.0.11, 3.11.17, and 3.9.24. Organizations running affected versions should upgrade to the patched versions to resolve the security issue. The fix can be found in the Moodle git repository under the reference MDL-79310 (Moodle Git).