Security announcements

MSA-25-0061: User IDs exposed in URLs when using anonymous submissions in assignment

by Michael Hawkins -

When blind marking is enabled for an assignment, user IDs remained visible on the assignment submissions page instead of being masked.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Mihail Geshoski
CVE identifier: CVE-2025-67857
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82808
Tracker issue: MDL-82808 User IDs exposed in URLs when using anonymous submissions in assignment
Discuss this topic  (0 replies so far)

MSA-25-0060: Badges with a role criterion could be awarded to users who do not hold the role

by Michael Hawkins -

Badges being awarded with a role performed the correct capability check, but did not verify the user had the required role to meet the award criterion.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Stefan Hanauska
CVE identifier: CVE-2025-67856
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86507
Tracker issue: MDL-86507 Badges with a role criterion could be awarded to users who do not hold the role
Discuss this topic  (0 replies so far)

MSA-25-0059: Reflected XSS risk in policy tool

by Michael Hawkins -

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Nicecatch2000
CVE identifier: CVE-2025-67855
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86544
Tracker issue: MDL-86544 Reflected XSS risk in policy tool
Discuss this topic  (0 replies so far)

MSA-25-0058: Participants can access forum ratings without permission

by Michael Hawkins -

Forum ratings required additional permission checks to prevent users from being able to view ratings they did not have the capability to access.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Stefan Hanauska
CVE identifier: CVE-2025-67854
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86960
Tracker issue: MDL-86960 Participants can access forum ratings without permission
Discuss this topic  (0 replies so far)

MSA-25-0057: Password brute force risk from confirmation email web service

by Michael Hawkins -

Insufficient checks on a confirmation email web service made it easier to brute force password checks against known usernames.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Petr Skoda
CVE identifier: CVE-2025-67853
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86326
Tracker issue: MDL-86326 Password brute force risk from confirmation email web service
Discuss this topic  (0 replies so far)

MSA-25-0056: Open redirect in OAuth login

by Michael Hawkins -

An open redirect risk existed in the OAuth login functionality.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Paolo Lazzaroni
CVE identifier: CVE-2025-67852
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80317
Tracker issue: MDL-80317 Open redirect in OAuth login
Discuss this topic  (0 replies so far)

MSA-25-0055: Formula injection risk when exporting data to CSV / Excel

by Michael Hawkins -

Insufficient sanitizing when exporting data to CSV / XLSX format could result in malicious formulas being inserted into the files.

Note: Most modern spreadsheet software will warn users and require confirmation before running potentially risky formulas, however this is still considered a risk as users may still accept the warning.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Brendan Heywood
CVE identifier: CVE-2025-67851
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72744
Tracker issue: MDL-72744 Formula injection risk when exporting data to CSV / Excel
Discuss this topic  (0 replies so far)

MSA-25-0054: XSS risk in formula editor

by Michael Hawkins -

Insufficient sanitizing in the formula editor could result in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Aleksey Solovev (Positive Technologies)
CVE identifier: CVE-2025-67850
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85557
Tracker issue: MDL-85557 XSS risk in formula editor
Discuss this topic  (0 replies so far)

MSA-25-0053: XSS risk via AI prompt injection

by Michael Hawkins -

Insufficient sanitizing of AI provider responses resulted in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3 and 4.5 to 4.5.7
Versions fixed: 5.1.1, 5.0.4 and 4.5.8
Reported by: Vuln37
CVE identifier: CVE-2025-67849
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87267
Tracker issue: MDL-87267 XSS risk via AI prompt injection
Discuss this topic  (0 replies so far)

MSA-25-0052: Authentication via LTI Provider available to suspended users

by Michael Hawkins -

Suspended users were not prevented from authenticating via the LTI Provider

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Attilio Ferrari
CVE identifier: CVE-2025-67848
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87286
Tracker issue: MDL-87286 Authentication via LTI Provider available to suspended users
Discuss this topic  (0 replies so far)