I’ve rolled out the latest version of Moodle as current 3.7+ (Build: 20190620) with most security configuration recommendations.
As per company policy, it has to pass Vulnerability Assessment first before it can be published to external network. I’ve get it scanned using an open-source web application security scanner, OWASP ZAP (2.8.0) and there’s one High Risk alert related to SQL Injection, the URL refer to login/index.php.
Is this a known/common issue? How to remediate the risk?