CVE-2024-43426: 
PHP vulnerability analysis and mitigation

A serious vulnerability (CVE-2024-43426) was discovered in pdfTeX, involving insufficient sanitization in the TeX notation filter. The vulnerability was disclosed on November 7, 2024, affecting sites where pdfTeX is available, particularly those with TeX Live installed. The affected versions include Moodle 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions (CERT-EU, NVD).

The vulnerability stems from insufficient sanitizing in the TeX notation filter, which could lead to arbitrary file read capabilities. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 7.5 (HIGH), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability has been classified under CWE-1287 (Improper Validation of Specified Type of Input) (NVD).

The vulnerability allows for arbitrary file read access on systems where pdfTeX is available. This particularly affects sites with TeX Live installed, potentially exposing sensitive system files to unauthorized access (Moodle Forum).

A temporary workaround has been provided to disable the TeX filter until the patch can be applied. Fixed versions have been released: 4.4.2, 4.3.6, 4.2.9, and 4.1.12. Organizations are recommended to update to these patched versions as soon as possible (Moodle Forum).