CVE-2023-35132 — Moodle: minor sql injection risk on mnet sso access control page

Description

A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

How to fix CVE-2023-35132

To remediate CVE-2023-35132, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 3.9.22 or later
—upgrade to 4.2.1 or later

Is CVE-2023-35132 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1
>= 4.2.0, < 4.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-35132
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77193
WEBbugzilla.redhat.com/show_bug.cgi?id=2214371