Security announcements

MSA-25-0036: IDOR allows fetching of recently accessed courses for other users via web service

de către Michael Hawkins-

A stricter capability check was required to restrict which users can fetch other users' recently accessed courses information.

Severity/Risk: Minor
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: B3XAL
CVE identifier: CVE-2025-49518
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79993
Tracker issue: MDL-79993 IDOR allows fetching of recently accessed courses for other users via web service
Discută acest subiect  (0 replici în total)

MSA-25-0035: Missing authorisation checks in BigBlueButton view page

de către Michael Hawkins-

Insufficient authorisation checks could result in users being able to view BigBlueButton recordings they did not have permission to access.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Vincent Schneider
CVE identifier: CVE-2025-49517
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84706
Tracker issue: MDL-84706 Missing authorisation checks in BigBlueButton view page
Discută acest subiect  (0 replici în total)

MSA-25-0034: CSRF risk in badges backpack management

de către Michael Hawkins-

The "move up" and "move down" actions in backpack management for badges did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Vincent Schneider
CVE identifier: CVE-2025-49516
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84497
Tracker issue: MDL-84497 CSRF risk in badges backpack management
Discută acest subiect  (0 replici în total)

MSA-25-0033: Course visibility not honoured consistently

de către Michael Hawkins-

Insufficient state and capability checks resulted in some details of hidden courses (such as course name, description and teachers) being available to users who did not have permission to access them.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Vincent Schneider
CVE identifier: CVE-2025-49515
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84518
Tracker issue: MDL-84518 Course visibility not honoured consistently
Discută acest subiect  (0 replici în total)

MSA-25-0032: SSRF risk via DNS rebind

de către Michael Hawkins-

A DNS rebind risk in the way cURL requests were handled could result in an SSRF risk, due to the possibility of cURL blocked hosts / allowed ports site configurations being bypassed.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Rekter0 and Holme, 0x123456789, TaiYou, and Vladislav Gladkiy (Positive Technologies)
CVE identifier: CVE-2025-49514
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83762
Tracker issue: MDL-83762 SSRF risk via DNS rebind
Discută acest subiect  (0 replici în total)

MSA-25-0031: Upgrade ADOdb including security fix (upstream)

de către Michael Hawkins-

The upstream ADOdb library contained an SQL injection risk in the pg_insert_id() method. It is important to note that the core Moodle LMS was NOT affected by this vulnerability, however as a precaution, this library has been upgraded to remove the risk entirely, in case any third party code/plugins uses the vulnerable code.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Alex Chiou
CVE identifier: CVE-2025-46337
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85375
Tracker issue: MDL-85375 Upgrade ADOdb including security fix (upstream)
Discută acest subiect  (0 replici în total)

MSA-25-0030: Password can be revealed in login page after log out due to caching

de către Michael Hawkins-

Additional cache controls were required to prevent web browsers caching a user's password on the login page (note accessing this would require access to the web browser on the device where the user had logged in).

Severity/Risk: Minor
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Mark Johnson
CVE identifier: CVE-2025-49513
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85323
Tracker issue: MDL-85323 Password can be revealed in login page after log out due to caching
Discută acest subiect  (0 replici în total)

MSA-25-0029: XSS risk in MathJax (safe extension not loaded)

de către Michael Hawkins-

An extension was omitted from the MathJax configuration shipped with Moodle when the library was upgraded in LMS 5.0, resulting in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.0
Versions fixed: 5.0.1
Reported by: Martin Gauk
CVE identifier: CVE-2025-49512
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85488
Tracker issue: MDL-85488 XSS risk in MathJax (safe extension not loaded)
Discută acest subiect  (0 replici în total)

MSA-25-0028: IDOR when accessing the cohorts report

de către Michael Hawkins-

Additional checks were required to ensure users can only fetch cohort data they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Paul Holden
CVE identifier: CVE-2025-3647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84865
Tracker issue: MDL-84865 IDOR when accessing the cohorts report
Discută acest subiect  (0 replici în total)

MSA-25-0027: IDOR in messaging web service allows access to some user details

de către Michael Hawkins-

Insufficient capability checks in a messaging web service made it possible to view other users' names and online status.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: ostapbender
CVE identifier: CVE-2025-3645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72704
Tracker issue: MDL-72704 IDOR in messaging web service allows access to some user details
Discută acest subiect  (0 replici în total)