Security announcements

MSA-25-0036: IDOR allows fetching of recently accessed courses for other users via web service

- Michael Hawkins の投稿

A stricter capability check was required to restrict which users can fetch other users' recently accessed courses information.

Severity/Risk: Minor
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: B3XAL
CVE identifier: CVE-2025-49518
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79993
Tracker issue: MDL-79993 IDOR allows fetching of recently accessed courses for other users via web service
このトピックを読む  (現在の返信数: 0)

MSA-25-0035: Missing authorisation checks in BigBlueButton view page

- Michael Hawkins の投稿

Insufficient authorisation checks could result in users being able to view BigBlueButton recordings they did not have permission to access.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Vincent Schneider
CVE identifier: CVE-2025-49517
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84706
Tracker issue: MDL-84706 Missing authorisation checks in BigBlueButton view page
このトピックを読む  (現在の返信数: 0)

MSA-25-0034: CSRF risk in badges backpack management

- Michael Hawkins の投稿

The "move up" and "move down" actions in backpack management for badges did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Vincent Schneider
CVE identifier: CVE-2025-49516
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84497
Tracker issue: MDL-84497 CSRF risk in badges backpack management
このトピックを読む  (現在の返信数: 0)

MSA-25-0033: Course visibility not honoured consistently

- Michael Hawkins の投稿

Insufficient state and capability checks resulted in some details of hidden courses (such as course name, description and teachers) being available to users who did not have permission to access them.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Vincent Schneider
CVE identifier: CVE-2025-49515
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84518
Tracker issue: MDL-84518 Course visibility not honoured consistently
このトピックを読む  (現在の返信数: 0)

MSA-25-0032: SSRF risk via DNS rebind

- Michael Hawkins の投稿

A DNS rebind risk in the way cURL requests were handled could result in an SSRF risk, due to the possibility of cURL blocked hosts / allowed ports site configurations being bypassed.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Rekter0 and Holme, 0x123456789, TaiYou, and Vladislav Gladkiy (Positive Technologies)
CVE identifier: CVE-2025-49514
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83762
Tracker issue: MDL-83762 SSRF risk via DNS rebind
このトピックを読む  (現在の返信数: 0)

MSA-25-0031: Upgrade ADOdb including security fix (upstream)

- Michael Hawkins の投稿

The upstream ADOdb library contained an SQL injection risk in the pg_insert_id() method. It is important to note that the core Moodle LMS was NOT affected by this vulnerability, however as a precaution, this library has been upgraded to remove the risk entirely, in case any third party code/plugins uses the vulnerable code.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Alex Chiou
CVE identifier: CVE-2025-46337
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85375
Tracker issue: MDL-85375 Upgrade ADOdb including security fix (upstream)
このトピックを読む  (現在の返信数: 0)

MSA-25-0030: Password can be revealed in login page after log out due to caching

- Michael Hawkins の投稿

Additional cache controls were required to prevent web browsers caching a user's password on the login page (note accessing this would require access to the web browser on the device where the user had logged in).

Severity/Risk: Minor
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Mark Johnson
CVE identifier: CVE-2025-49513
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85323
Tracker issue: MDL-85323 Password can be revealed in login page after log out due to caching
このトピックを読む  (現在の返信数: 0)

MSA-25-0029: XSS risk in MathJax (safe extension not loaded)

- Michael Hawkins の投稿

An extension was omitted from the MathJax configuration shipped with Moodle when the library was upgraded in LMS 5.0, resulting in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.0
Versions fixed: 5.0.1
Reported by: Martin Gauk
CVE identifier: CVE-2025-49512
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85488
Tracker issue: MDL-85488 XSS risk in MathJax (safe extension not loaded)
このトピックを読む  (現在の返信数: 0)

MSA-25-0028: IDOR when accessing the cohorts report

- Michael Hawkins の投稿

Additional checks were required to ensure users can only fetch cohort data they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Paul Holden
CVE identifier: CVE-2025-3647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84865
Tracker issue: MDL-84865 IDOR when accessing the cohorts report
このトピックを読む  (現在の返信数: 0)

MSA-25-0027: IDOR in messaging web service allows access to some user details

- Michael Hawkins の投稿

Insufficient capability checks in a messaging web service made it possible to view other users' names and online status.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: ostapbender
CVE identifier: CVE-2025-3645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72704
Tracker issue: MDL-72704 IDOR in messaging web service allows access to some user details
このトピックを読む  (現在の返信数: 0)