Security announcements

MSA-25-0061: User IDs exposed in URLs when using anonymous submissions in assignment

par Michael Hawkins,

When blind marking is enabled for an assignment, user IDs remained visible on the assignment submissions page instead of being masked.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Mihail Geshoski
CVE identifier: CVE-2025-67857
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82808
Tracker issue: MDL-82808 User IDs exposed in URLs when using anonymous submissions in assignment
Discuter sur ce sujet  (0 réponses)

MSA-25-0060: Badges with a role criterion could be awarded to users who do not hold the role

par Michael Hawkins,

Badges being awarded with a role performed the correct capability check, but did not verify the user had the required role to meet the award criterion.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Stefan Hanauska
CVE identifier: CVE-2025-67856
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86507
Tracker issue: MDL-86507 Badges with a role criterion could be awarded to users who do not hold the role
Discuter sur ce sujet  (0 réponses)

MSA-25-0059: Reflected XSS risk in policy tool

par Michael Hawkins,

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Nicecatch2000
CVE identifier: CVE-2025-67855
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86544
Tracker issue: MDL-86544 Reflected XSS risk in policy tool
Discuter sur ce sujet  (0 réponses)

MSA-25-0058: Participants can access forum ratings without permission

par Michael Hawkins,

Forum ratings required additional permission checks to prevent users from being able to view ratings they did not have the capability to access.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Stefan Hanauska
CVE identifier: CVE-2025-67854
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86960
Tracker issue: MDL-86960 Participants can access forum ratings without permission
Discuter sur ce sujet  (0 réponses)

MSA-25-0057: Password brute force risk from confirmation email web service

par Michael Hawkins,

Insufficient checks on a confirmation email web service made it easier to brute force password checks against known usernames.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Petr Skoda
CVE identifier: CVE-2025-67853
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86326
Tracker issue: MDL-86326 Password brute force risk from confirmation email web service
Discuter sur ce sujet  (0 réponses)

MSA-25-0056: Open redirect in OAuth login

par Michael Hawkins,

An open redirect risk existed in the OAuth login functionality.

Severity/Risk: Minor
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Paolo Lazzaroni
CVE identifier: CVE-2025-67852
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80317
Tracker issue: MDL-80317 Open redirect in OAuth login
Discuter sur ce sujet  (0 réponses)

MSA-25-0055: Formula injection risk when exporting data to CSV / Excel

par Michael Hawkins,

Insufficient sanitizing when exporting data to CSV / XLSX format could result in malicious formulas being inserted into the files.

Note: Most modern spreadsheet software will warn users and require confirmation before running potentially risky formulas, however this is still considered a risk as users may still accept the warning.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Brendan Heywood
CVE identifier: CVE-2025-67851
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72744
Tracker issue: MDL-72744 Formula injection risk when exporting data to CSV / Excel
Discuter sur ce sujet  (0 réponses)

MSA-25-0054: XSS risk in formula editor

par Michael Hawkins,

Insufficient sanitizing in the formula editor could result in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Aleksey Solovev (Positive Technologies)
CVE identifier: CVE-2025-67850
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85557
Tracker issue: MDL-85557 XSS risk in formula editor
Discuter sur ce sujet  (0 réponses)

MSA-25-0053: XSS risk via AI prompt injection

par Michael Hawkins,

Insufficient sanitizing of AI provider responses resulted in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3 and 4.5 to 4.5.7
Versions fixed: 5.1.1, 5.0.4 and 4.5.8
Reported by: Vuln37
CVE identifier: CVE-2025-67849
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87267
Tracker issue: MDL-87267 XSS risk via AI prompt injection
Discuter sur ce sujet  (0 réponses)

MSA-25-0052: Authentication via LTI Provider available to suspended users

par Michael Hawkins,

Suspended users were not prevented from authenticating via the LTI Provider

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Attilio Ferrari
CVE identifier: CVE-2025-67848
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87286
Tracker issue: MDL-87286 Authentication via LTI Provider available to suspended users
Discuter sur ce sujet  (0 réponses)