Security announcements

MSA-25-0031: Upgrade ADOdb including security fix (upstream)

by Michael Hawkins -

The upstream ADOdb library contained an SQL injection risk in the pg_insert_id() method. It is important to note that the core Moodle LMS was NOT affected by this vulnerability, however as a precaution, this library has been upgraded to remove the risk entirely, in case any third party code/plugins uses the vulnerable code.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Alex Chiou
CVE identifier: CVE-2025-46337
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85375
Tracker issue: MDL-85375 Upgrade ADOdb including security fix (upstream)
Discuss this topic  (0 replies so far)

MSA-25-0030: Password can be revealed in login page after log out due to caching

by Michael Hawkins -

Additional cache controls were required to prevent web browsers caching a user's password on the login page (note accessing this would require access to the web browser on the device where the user had logged in).

Severity/Risk: Minor
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Mark Johnson
CVE identifier: CVE-2025-49513
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85323
Tracker issue: MDL-85323 Password can be revealed in login page after log out due to caching
Discuss this topic  (0 replies so far)

MSA-25-0029: XSS risk in MathJax (safe extension not loaded)

by Michael Hawkins -

An extension was omitted from the MathJax configuration shipped with Moodle when the library was upgraded in LMS 5.0, resulting in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.0
Versions fixed: 5.0.1
Reported by: Martin Gauk
CVE identifier: CVE-2025-49512
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85488
Tracker issue: MDL-85488 XSS risk in MathJax (safe extension not loaded)
Discuss this topic  (0 replies so far)

MSA-25-0028: IDOR when accessing the cohorts report

by Michael Hawkins -

Additional checks were required to ensure users can only fetch cohort data they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Paul Holden
CVE identifier: CVE-2025-3647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84865
Tracker issue: MDL-84865 IDOR when accessing the cohorts report
Discuss this topic  (0 replies so far)

MSA-25-0027: IDOR in messaging web service allows access to some user details

by Michael Hawkins -

Insufficient capability checks in a messaging web service made it possible to view other users' names and online status.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: ostapbender
CVE identifier: CVE-2025-3645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72704
Tracker issue: MDL-72704 IDOR in messaging web service allows access to some user details
Discuss this topic  (0 replies so far)

MSA-25-0026: AJAX section delete does not respect course_can_delete_section()

by Michael Hawkins -

Additional checks were required to prevent users deleting course sections they did not have permission to modify.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: James E. Calder
CVE identifier: CVE-2025-3644
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83994
Tracker issue: MDL-83994 AJAX section delete does not respect course_can_delete_section()
Discuss this topic  (0 replies so far)

MSA-25-0025: Reflected XSS risk in policy tool

by Michael Hawkins -

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
CVE identifier: CVE-2025-3643
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85104
Tracker issue: MDL-85104 Reflected XSS risk in policy tool
Discuss this topic  (0 replies so far)

MSA-25-0024: Authenticated remote code execution risk in the Moodle LMS EQUELLA repository

by Michael Hawkins -

A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default this was only available to teachers and managers, on sites with the EQUELLA repository enabled.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
Workaround: Disable the EQUELLA repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories).
CVE identifier: CVE-2025-3642
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84473
Tracker issue: MDL-84473 Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
Discuss this topic  (0 replies so far)

MSA-25-0023: Authenticated remote code execution risk in the Moodle LMS Dropbox repository

by Michael Hawkins -

A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default this was only available to teachers and managers, on sites with the Dropbox repository enabled.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
Workaround: Disable the Dropbox repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories).
CVE identifier: CVE-2025-3641
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84475
Tracker issue: MDL-84475 Authenticated remote code execution risk in the Moodle LMS Dropbox repository
Discuss this topic  (0 replies so far)

MSA-25-0022: IDOR in web service allows users enrolled in a course to access some details of other users

by Michael Hawkins -

Insufficient capability checks made it possible for a user enrolled in a course to access some details (full name and profile image URL) of other users they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Khikhi
CVE identifier: CVE-2025-3640
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84750
Tracker issue: MDL-84750 IDOR in web service allows users enrolled in a course to access some details of other users
Discuss this topic  (0 replies so far)