Security announcements

MSA-25-0050: Possible to bypass timer in timed assignments

by Michael Hawkins -

There was a behaviour that made it possible for a student to bypass the timed restriction on a timed assignment.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Charles Fulton
CVE identifier: CVE-2025-62401
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75087
Tracker issue: MDL-75087 Possible to bypass timer in timed assignments
Discuss this topic  (0 replies so far)

MSA-25-0049: Names of hidden groups are visible to users with access to create group calendar events

by Michael Hawkins -

Insufficient capability checks meant users with the capability to create group events, but without the capability to view hidden groups, could see hidden and separate groups in the list of groups to select for calendar events.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Robert Toth
CVE identifier: CVE-2025-62400
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86261
Tracker issue: MDL-86261 Names of hidden groups are visible to users with access to create group calendar events
Discuss this topic  (0 replies so far)

MSA-25-0048: Password brute force risk when mobile/web services enabled

by Michael Hawkins -

It was possible to brute force password checks against known usernames when the mobile client and auth_webservice were enabled.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Petr Skoda
CVE identifier: CVE-2025-62399
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86327
Tracker issue: MDL-86327 Password brute force risk when mobile/web services enabled
Discuss this topic  (0 replies so far)

MSA-25-0047: Possible to bypass MFA

by Michael Hawkins -

Incorrect handling of some endpoints during login made it possible to bypass the second factor of multi-factor authentication. Note: A valid username and password were still required to log in.

Severity/Risk: Serious
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6 and 4.4 to 4.4.10
Versions fixed: 5.0.3, 4.5.7 and 4.4.11
Reported by: Petr Skoda
CVE identifier: CVE-2025-62398
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86334
Tracker issue: MDL-86334 Possible to bypass MFA
Discuss this topic  (0 replies so far)

MSA-25-0046: Router produces JSON instead of 404 error when passed a non-existent course ID

by Michael Hawkins -

The router made it possible to determine valid course IDs due to inconsistent handling of valid and non-existent course IDs.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2
Versions fixed: 5.0.3
Reported by: Adam Jenkins
CVE identifier: CVE-2025-62397
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86335
Tracker issue: MDL-86335 Router produces JSON instead of 404 error when passed a non-existent course ID
Discuss this topic  (0 replies so far)

MSA-25-0045: When using router (r.php) it was possible for the server to show application directories

by Michael Hawkins -

Incorrect error handling in the routing system could result in the application directories being listed if the "Accept text/html" header was not configured.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2 and 4.5 to 4.5.6
Versions fixed: 5.0.3 and 4.5.7
Reported by: Yedidia Klein
CVE identifier: CVE-2025-62396
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86494
Tracker issue: MDL-86494 When using router (r.php) it was possible for the server to show application directories
Discuss this topic  (0 replies so far)

MSA-25-0044: External cohort search service method leaks system cohort data

by Michael Hawkins -

Insufficient capability checks meant a user with permission to manage/view cohorts in a lower context could retrieve data about cohorts defined in the system context, that they would not otherwise have access to.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Paul Holden
CVE identifier: CVE-2025-62395
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85421
Tracker issue: MDL-85421 External cohort search service method leaks system cohort data
Discuss this topic  (0 replies so far)

MSA-25-0043: Quiz notifications sent to suspended course participants

by Michael Hawkins -

Insufficient enrolment checks could result in quiz notifications being sent to users who had an inactive enrolment in the course (such as being suspended or past their enrolment end date).

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2 and 4.5 to 4.5.6
Versions fixed: 5.0.3 and 4.5.7
Reported by: Philipp Hager
CVE identifier: CVE-2025-62394
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86253
Tracker issue: MDL-86253 Quiz notifications sent to suspended course participants
Discuss this topic  (0 replies so far)

MSA-25-0042: Upgrade FPDI including security fix (upstream)

by Michael Hawkins -

The upstream FPDI library was upgraded, which included a security fix.

Severity/Risk: Serious
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Michael Hawkins
CVE identifier: CVE-2025-54869
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86353
Tracker issue: MDL-86353 Upgrade FPDI including security fix (upstream)
Discuss this topic  (0 replies so far)

MSA-25-0041: Course access permissions are not properly checked in course_output_fragment_course_overview

by Michael Hawkins -

Insufficient handling of course access checks in a course overview function could results in the information being returned to a user who did not have access to the course.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2
Versions fixed: 5.0.3
Reported by: Dani Palou
CVE identifier: CVE-2025-62393
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86426
Tracker issue: MDL-86426 Course access permissions are not properly checked in course_output_fragment_course_overview
Discuss this topic  (0 replies so far)