Security announcements

MSA-25-0055: Formula injection risk when exporting data to CSV / Excel

Michael Hawkins - මගින්

Insufficient sanitizing when exporting data to CSV / XLSX format could result in malicious formulas being inserted into the files.

Note: Most modern spreadsheet software will warn users and require confirmation before running potentially risky formulas, however this is still considered a risk as users may still accept the warning.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Brendan Heywood
CVE identifier: CVE-2025-67851
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72744
Tracker issue: MDL-72744 Formula injection risk when exporting data to CSV / Excel
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0054: XSS risk in formula editor

Michael Hawkins - මගින්

Insufficient sanitizing in the formula editor could result in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Aleksey Solovev (Positive Technologies)
CVE identifier: CVE-2025-67850
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85557
Tracker issue: MDL-85557 XSS risk in formula editor
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0053: XSS risk via AI prompt injection

Michael Hawkins - මගින්

Insufficient sanitizing of AI provider responses resulted in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3 and 4.5 to 4.5.7
Versions fixed: 5.1.1, 5.0.4 and 4.5.8
Reported by: Vuln37
CVE identifier: CVE-2025-67849
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87267
Tracker issue: MDL-87267 XSS risk via AI prompt injection
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0052: Authentication via LTI Provider available to suspended users

Michael Hawkins - මගින්

Suspended users were not prevented from authenticating via the LTI Provider

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Attilio Ferrari
CVE identifier: CVE-2025-67848
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87286
Tracker issue: MDL-87286 Authentication via LTI Provider available to suspended users
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0051: Remote code execution risk via file restore

Michael Hawkins - මගින්

A remote code execution risk was identified in the file restore functionality.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Dinhnhi from VNPT-VCI
CVE identifier: CVE-2025-67847
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87353
Tracker issue: MDL-87353 Remote code execution risk via file restore
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0050: Possible to bypass timer in timed assignments

Michael Hawkins - මගින්

There was a behaviour that made it possible for a student to bypass the timed restriction on a timed assignment.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Charles Fulton
CVE identifier: CVE-2025-62401
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75087
Tracker issue: MDL-75087 Possible to bypass timer in timed assignments
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0049: Names of hidden groups are visible to users with access to create group calendar events

Michael Hawkins - මගින්

Insufficient capability checks meant users with the capability to create group events, but without the capability to view hidden groups, could see hidden and separate groups in the list of groups to select for calendar events.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Robert Toth
CVE identifier: CVE-2025-62400
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86261
Tracker issue: MDL-86261 Names of hidden groups are visible to users with access to create group calendar events
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0048: Password brute force risk when mobile/web services enabled

Michael Hawkins - මගින්

It was possible to brute force password checks against known usernames when the mobile client and auth_webservice were enabled.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Petr Skoda
CVE identifier: CVE-2025-62399
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86327
Tracker issue: MDL-86327 Password brute force risk when mobile/web services enabled
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0047: Possible to bypass MFA

Michael Hawkins - මගින්

Incorrect handling of some endpoints during login made it possible to bypass the second factor of multi-factor authentication. Note: A valid username and password were still required to log in.

Severity/Risk: Serious
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6 and 4.4 to 4.4.10
Versions fixed: 5.0.3, 4.5.7 and 4.4.11
Reported by: Petr Skoda
CVE identifier: CVE-2025-62398
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86334
Tracker issue: MDL-86334 Possible to bypass MFA
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)

MSA-25-0046: Router produces JSON instead of 404 error when passed a non-existent course ID

Michael Hawkins - මගින්

The router made it possible to determine valid course IDs due to inconsistent handling of valid and non-existent course IDs.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2
Versions fixed: 5.0.3
Reported by: Adam Jenkins
CVE identifier: CVE-2025-62397
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86335
Tracker issue: MDL-86335 Router produces JSON instead of 404 error when passed a non-existent course ID
මෙම මාතෘකා‍ව සාකච්ඡා කරන්න  (මේතාක් පිළිතුරු 0 ඇත)