Security announcements

MSA-25-0028: IDOR when accessing the cohorts report

deur Michael Hawkins -

Additional checks were required to ensure users can only fetch cohort data they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Paul Holden
CVE identifier: CVE-2025-3647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84865
Tracker issue: MDL-84865 IDOR when accessing the cohorts report

MSA-25-0027: IDOR in messaging web service allows access to some user details

deur Michael Hawkins -

Insufficient capability checks in a messaging web service made it possible to view other users' names and online status.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: ostapbender
CVE identifier: CVE-2025-3645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72704
Tracker issue: MDL-72704 IDOR in messaging web service allows access to some user details

MSA-25-0026: AJAX section delete does not respect course_can_delete_section()

deur Michael Hawkins -

Additional checks were required to prevent users deleting course sections they did not have permission to modify.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: James E. Calder
CVE identifier: CVE-2025-3644
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83994
Tracker issue: MDL-83994 AJAX section delete does not respect course_can_delete_section()

MSA-25-0025: Reflected XSS risk in policy tool

deur Michael Hawkins -

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
CVE identifier: CVE-2025-3643
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85104
Tracker issue: MDL-85104 Reflected XSS risk in policy tool

MSA-25-0024: Authenticated remote code execution risk in the Moodle LMS EQUELLA repository

deur Michael Hawkins -

A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default this was only available to teachers and managers, on sites with the EQUELLA repository enabled.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
Workaround: Disable the EQUELLA repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories).
CVE identifier: CVE-2025-3642
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84473
Tracker issue: MDL-84473 Authenticated remote code execution risk in the Moodle LMS EQUELLA repository

MSA-25-0023: Authenticated remote code execution risk in the Moodle LMS Dropbox repository

deur Michael Hawkins -

A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default this was only available to teachers and managers, on sites with the Dropbox repository enabled.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
Workaround: Disable the Dropbox repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories).
CVE identifier: CVE-2025-3641
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84475
Tracker issue: MDL-84475 Authenticated remote code execution risk in the Moodle LMS Dropbox repository

MSA-25-0022: IDOR in web service allows users enrolled in a course to access some details of other users

deur Michael Hawkins -

Insufficient capability checks made it possible for a user enrolled in a course to access some details (full name and profile image URL) of other users they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Khikhi
CVE identifier: CVE-2025-3640
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84750
Tracker issue: MDL-84750 IDOR in web service allows users enrolled in a course to access some details of other users

MSA-25-0021: CSRF risk in Brickfield tool's analysis request action

deur Michael Hawkins -

The analysis request action in the Brickfield tool did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3638
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84478
Tracker issue: MDL-84478 CSRF risk in Brickfield tool's analysis request action

MSA-25-0020: mod_data edit/delete pages pass CSRF token in GET parameter

deur Michael Hawkins -

A user's CSRF token was unnecessarily included in the URL on the database module's edit and delete pages.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Simon Reinhart
CVE identifier: CVE-2025-3637
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65356
Tracker issue: MDL-65356 mod_data edit/delete pages pass CSRF token in GET parameter

MSA-25-0019: IDOR in RSS block allows access to additional RSS feeds

deur Michael Hawkins -

Insufficient capability checks made it possible to view RSS feed content a user does not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3636
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84499
Tracker issue: MDL-84499 IDOR in RSS block allows access to additional RSS feeds