Security announcements

MSA-25-0052: Authentication via LTI Provider available to suspended users

Michael Hawkins-mit -

Suspended users were not prevented from authenticating via the LTI Provider

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Attilio Ferrari
CVE identifier: CVE-2025-67848
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87286
Tracker issue: MDL-87286 Authentication via LTI Provider available to suspended users
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0051: Remote code execution risk via file restore

Michael Hawkins-mit -

A remote code execution risk was identified in the file restore functionality.

Severity/Risk: Serious
Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by: Dinhnhi from VNPT-VCI
CVE identifier: CVE-2025-67847
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87353
Tracker issue: MDL-87353 Remote code execution risk via file restore
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0050: Possible to bypass timer in timed assignments

Michael Hawkins-mit -

There was a behaviour that made it possible for a student to bypass the timed restriction on a timed assignment.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Charles Fulton
CVE identifier: CVE-2025-62401
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75087
Tracker issue: MDL-75087 Possible to bypass timer in timed assignments
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0049: Names of hidden groups are visible to users with access to create group calendar events

Michael Hawkins-mit -

Insufficient capability checks meant users with the capability to create group events, but without the capability to view hidden groups, could see hidden and separate groups in the list of groups to select for calendar events.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Robert Toth
CVE identifier: CVE-2025-62400
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86261
Tracker issue: MDL-86261 Names of hidden groups are visible to users with access to create group calendar events
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0048: Password brute force risk when mobile/web services enabled

Michael Hawkins-mit -

It was possible to brute force password checks against known usernames when the mobile client and auth_webservice were enabled.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Petr Skoda
CVE identifier: CVE-2025-62399
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86327
Tracker issue: MDL-86327 Password brute force risk when mobile/web services enabled
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0047: Possible to bypass MFA

Michael Hawkins-mit -

Incorrect handling of some endpoints during login made it possible to bypass the second factor of multi-factor authentication. Note: A valid username and password were still required to log in.

Severity/Risk: Serious
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6 and 4.4 to 4.4.10
Versions fixed: 5.0.3, 4.5.7 and 4.4.11
Reported by: Petr Skoda
CVE identifier: CVE-2025-62398
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86334
Tracker issue: MDL-86334 Possible to bypass MFA
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0046: Router produces JSON instead of 404 error when passed a non-existent course ID

Michael Hawkins-mit -

The router made it possible to determine valid course IDs due to inconsistent handling of valid and non-existent course IDs.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2
Versions fixed: 5.0.3
Reported by: Adam Jenkins
CVE identifier: CVE-2025-62397
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86335
Tracker issue: MDL-86335 Router produces JSON instead of 404 error when passed a non-existent course ID
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0045: When using router (r.php) it was possible for the server to show application directories

Michael Hawkins-mit -

Incorrect error handling in the routing system could result in the application directories being listed if the "Accept text/html" header was not configured.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2 and 4.5 to 4.5.6
Versions fixed: 5.0.3 and 4.5.7
Reported by: Yedidia Klein
CVE identifier: CVE-2025-62396
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86494
Tracker issue: MDL-86494 When using router (r.php) it was possible for the server to show application directories
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0044: External cohort search service method leaks system cohort data

Michael Hawkins-mit -

Insufficient capability checks meant a user with permission to manage/view cohorts in a lower context could retrieve data about cohorts defined in the system context, that they would not otherwise have access to.

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions
Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21
Reported by: Paul Holden
CVE identifier: CVE-2025-62395
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85421
Tracker issue: MDL-85421 External cohort search service method leaks system cohort data
Diskuter dette emne  (0 svar indtil videre)

MSA-25-0043: Quiz notifications sent to suspended course participants

Michael Hawkins-mit -

Insufficient enrolment checks could result in quiz notifications being sent to users who had an inactive enrolment in the course (such as being suspended or past their enrolment end date).

Severity/Risk: Minor
Versions affected: 5.0 to 5.0.2 and 4.5 to 4.5.6
Versions fixed: 5.0.3 and 4.5.7
Reported by: Philipp Hager
CVE identifier: CVE-2025-62394
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86253
Tracker issue: MDL-86253 Quiz notifications sent to suspended course participants
Diskuter dette emne  (0 svar indtil videre)