CVE-2024-43436: 
PHP vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2024-43436) was discovered in the XMLDB editor tool of Moodle, which is accessible to site administrators. The vulnerability was reported by TaiYou and was publicly disclosed on August 19, 2024. The affected versions include Moodle 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions (Moodle Forum).

The vulnerability is classified as a SQL injection risk in the XMLDB editor tool, which is a component accessible to site administrators. The CVSS 3.1 base score is 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD).

The vulnerability has been rated as 'Serious' by Moodle. Given the CVSS score and vector string, successful exploitation could lead to high impacts on confidentiality, integrity, and availability of the system, particularly concerning database operations through the XMLDB editor tool (CERT-EU).

The vulnerability has been fixed in Moodle versions 4.4.2, 4.3.6, 4.2.9, and 4.1.12. Organizations running affected versions should upgrade to the corresponding fixed version as soon as possible (Moodle Forum).