Security announcements

MSA-25-0055: Formula injection risk when exporting data to CSV / Excel

de Michael Hawkins -

Insufficient sanitizing when exporting data to CSV / XLSX format could result in malicious formulas being inserted into the files.

Note: Most modern spreadsheet software will warn users and require confirmation before running potentially risky formulas, however this is still considered a risk as users may still accept the warning.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Brendan Heywood
CVE identifier: CVE-2025-67851
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72744
Tracker issue: MDL-72744 Formula injection risk when exporting data to CSV / Excel
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0054: XSS risk in formula editor

de Michael Hawkins -

Insufficient sanitizing in the formula editor could result in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Aleksey Solovev (Positive Technologies)
CVE identifier: CVE-2025-67850
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85557
Tracker issue: MDL-85557 XSS risk in formula editor
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0053: XSS risk via AI prompt injection

de Michael Hawkins -

Insufficient sanitizing of AI provider responses resulted in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3 and 4.5 to 4.5.7
Versions fixed: 5.1.1, 5.0.4 and 4.5.8
Reported by: Vuln37
CVE identifier: CVE-2025-67849
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87267
Tracker issue: MDL-87267 XSS risk via AI prompt injection
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0052: Authentication via LTI Provider available to suspended users

de Michael Hawkins -

Suspended users were not prevented from authenticating via the LTI Provider

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Attilio Ferrari
CVE identifier: CVE-2025-67848
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87286
Tracker issue: MDL-87286 Authentication via LTI Provider available to suspended users
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0051: Remote code execution risk via file restore

de Michael Hawkins -

A remote code execution risk was identified in the file restore functionality.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Dinhnhi from VNPT-VCI
CVE identifier: CVE-2025-67847
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87353
Tracker issue: MDL-87353 Remote code execution risk via file restore
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0050: Possible to bypass timer in timed assignments

de Michael Hawkins -

There was a behaviour that made it possible for a student to bypass the timed restriction on a timed assignment.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Charles Fulton
CVE identifier: CVE-2025-62401
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75087
Tracker issue: MDL-75087 Possible to bypass timer in timed assignments
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0049: Names of hidden groups are visible to users with access to create group calendar events

de Michael Hawkins -

Insufficient capability checks meant users with the capability to create group events, but without the capability to view hidden groups, could see hidden and separate groups in the list of groups to select for calendar events.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Robert Toth
CVE identifier: CVE-2025-62400
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86261
Tracker issue: MDL-86261 Names of hidden groups are visible to users with access to create group calendar events
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0048: Password brute force risk when mobile/web services enabled

de Michael Hawkins -

It was possible to brute force password checks against known usernames when the mobile client and auth_webservice were enabled.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Petr Skoda
CVE identifier: CVE-2025-62399
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86327
Tracker issue: MDL-86327 Password brute force risk when mobile/web services enabled
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0047: Possible to bypass MFA

de Michael Hawkins -

Incorrect handling of some endpoints during login made it possible to bypass the second factor of multi-factor authentication. Note: A valid username and password were still required to log in.

Severity/Risk: Serious
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6 and 4.4 to 4.4.10
Versions fixed: 5.0.3, 4.5.7 and 4.4.11
Reported by: Petr Skoda
CVE identifier: CVE-2025-62398
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86334
Tracker issue: MDL-86334 Possible to bypass MFA
Hacer un comentario en este tema  (0 réplicas)

MSA-25-0046: Router produces JSON instead of 404 error when passed a non-existent course ID

de Michael Hawkins -

The router made it possible to determine valid course IDs due to inconsistent handling of valid and non-existent course IDs.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2
Versions fixed: 5.0.3
Reported by: Adam Jenkins
CVE identifier: CVE-2025-62397
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86335
Tracker issue: MDL-86335 Router produces JSON instead of 404 error when passed a non-existent course ID
Hacer un comentario en este tema  (0 réplicas)