Security announcements

MSA-25-0021: CSRF risk in Brickfield tool's analysis request action

by Michael Hawkins -

The analysis request action in the Brickfield tool did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3638
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84478
Tracker issue: MDL-84478 CSRF risk in Brickfield tool's analysis request action
Discuss this topic  (0 replies so far)

MSA-25-0020: mod_data edit/delete pages pass CSRF token in GET parameter

by Michael Hawkins -

A user's CSRF token was unnecessarily included in the URL on the database module's edit and delete pages.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Simon Reinhart
CVE identifier: CVE-2025-3637
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65356
Tracker issue: MDL-65356 mod_data edit/delete pages pass CSRF token in GET parameter
Discuss this topic  (0 replies so far)

MSA-25-0019: IDOR in RSS block allows access to additional RSS feeds

by Michael Hawkins -

Insufficient capability checks made it possible to view RSS feed content a user does not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3636
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84499
Tracker issue: MDL-84499 IDOR in RSS block allows access to additional RSS feeds
Discuss this topic  (0 replies so far)

MSA-25-0018: CSRF risk in user tours manager allows tour duplication

by Michael Hawkins -

The user tours duplicate tour action did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3635
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84479
Tracker issue: MDL-84479 CSRF risk in user tours manager allows tour duplication
Discuss this topic  (0 replies so far)

MSA-25-0017: Self enrolment available before completing second factor with MFA enabled

by Michael Hawkins -

On sites with Multi-Factor Authentication enabled, it was possible to use course self enrolment after passing only the first login factor (such as passing a username/password check). The user should also have to pass a second login factor before gaining access to self enrolment.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: Guillaume Barat
CVE identifier: CVE-2025-3634
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84784
Tracker issue: MDL-84784 Self enrolment available before completing second factor with MFA enabled
Discuss this topic  (0 replies so far)

MSA-25-0016: Assignment submissions search on anonymous submissions reveals student identities

by Michael Hawkins -

Additional capability checks were required to prevent teachers from being able to identify a user's anonymous assignment submissions via the submissions search.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3
Versions fixed: 4.5.4
Reported by: Eliot
CVE identifier: CVE-2025-3628
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84447
Tracker issue: MDL-84447 Assignment submissions search on anonymous submissions reveals student identities
Discuss this topic  (0 replies so far)

MSA-25-0015: Some user data available before completing second factor with MFA enabled

by Michael Hawkins -

On sites with Multi-Factor Authentication enabled, it was possible for a user to access some of their data after passing only the first login factor (such as passing a username/password check). The user should have to also pass a second factor check before gaining access to that data.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: AntnioVilelac
CVE identifier: CVE-2025-3627
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84351
Tracker issue: MDL-84351 Some user data available before completing second factor with MFA enabled
Discuss this topic  (0 replies so far)

MSA-25-0014: User DoS and name disclosure risks via IDOR in MFA email factor revoke action

by Michael Hawkins -

A missing check in the Multi-Factor Authentication email factor's revoke/cancel action could lead to a Denial of Service risk for users logging in who have email as their only available second factor. If exploited, the impacted user's name was disclosed.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: vi22
CVE identifier: CVE-2025-3625
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85015
Tracker issue: MDL-85015 User DoS and name disclosure risks via IDOR in MFA email factor revoke action
Discuss this topic  (0 replies so far)

MSA-25-0013: Remote code execution risk via MimeTeX command (upstream)

by Michael Hawkins -

Insufficient sanitizing in an undocumented MimeTeX command resulted in a remote code execution risk for sites using MimeTeX (via the TeX Notation filter).

Please also note that due to MimeTeX being un-maintained and without security updates for an extended period of time, it is considered an increasing security risk and not recommended for production use (see workaround below). For this reason MimeTeX support will also be removed from Moodle LMS in the near future.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: TaiYou
Workaround: Disable the TeX Notation filter until the patch is applied. If an alternative mathematical formula filter is required, consider configuring the MathJax filter instead. Alternatively, if you provide valid paths to LaTeX, dvips and convert binaries in the TeX Notation filter settings, the filter will use those instead of MimeTeX, as MimeTeX is the filter's fallback option. If setting the TeX Notation filter binary paths, you may wish to additionally insert a false MimeTeX path such as "x" that is not a valid executable, so that even if the system attempts to use MimeTeX, it fails to execute (leaving it blank does not have the same effect, because it then uses a version of MimeTeX included with Moodle LMS).
CVE identifier: CVE-2024-40446
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85152
Tracker issue: MDL-85152 Remote code execution risk via MimeTeX command (upstream)
Discuss this topic  (0 replies so far)

MSA-25-0012: Hidden grades are shown to users without permission on some grade reports

by Michael Hawkins -

Insufficient capability checks in some grade reports resulted in some hidden grades being available to users who did not have permission to view them.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.2, 4.4 to 4.4.6, 4.3 to 4.3.10, 4.1 to 4.1.16 and earlier unsupported versions
Versions fixed: 4.5.3, 4.4.7, 4.3.11 and 4.1.17
Reported by: Ilya Tregubov
CVE identifier: CVE-2025-32045
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81945
Tracker issue: MDL-81945 Hidden grades are shown to users without permission on some grade reports

(Updated 3 April 2025 to add the CVE identifier.)

Discuss this topic  (0 replies so far)