The question bank filter required additional sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5 and 4.3 to 4.3.9 |
| Versions fixed: | 4.5.2, 4.4.6 and 4.3.10 |
| Reported by: | Hect0r |
| CVE identifier: | CVE-2025-26530 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84146 |
| Tracker issue: | MDL-84146 Reflected XSS via question bank filter |
Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | nightbloodz |
| CVE identifier: | CVE-2025-26529 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145 |
| Tracker issue: | MDL-84145 Stored XSS risk in admin live log |
The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2025-26528 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82896 |
| Tracker issue: | MDL-82896 Stored XSS in ddimageortext question type |
Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Marina Glancy |
| CVE identifier: | CVE-2025-26527 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83941 |
| Tracker issue: | MDL-83941 Non-searchable tags can still be discovered on the tag search page and in the tags block |
Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Leon Stringer |
| CVE identifier: | CVE-2025-26526 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976 |
| Tracker issue: | MDL-79976 Feedback response viewing and deletions did not respect Separate Groups mode |
Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | vicevirus |
| CVE identifier: | CVE-2025-26525 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136 |
| Tracker issue: | MDL-84136 Arbitrary file read risk through pdfTeX |
Guest user sessions were given a longer timeout than authenticated users, which could result in an elevated denial of service risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions |
| Versions fixed: | 4.5.1, 4.4.5, 4.3.9 and 4.1.15 |
| Reported by: | Jerome Charaoui |
| CVE identifier: | CVE-2024-55648 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61316 |
| Tracker issue: | MDL-61316 Potential denial of service risk due to guest sessions' longer timeout period |
Question bank filtering required additional sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.5, 4.4 to 4.4.4 and 4.3 to 4.3.8 |
| Versions fixed: | 4.5.1, 4.4.5, and 4.3.9 |
| Reported by: | Andrey Alekseev (Positive Technologies) |
| CVE identifier: | CVE-2024-55647 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83357 |
| Tracker issue: | MDL-83357 Reflected XSS in question bank filter |
In a database activity with separate groups mode enabled, users who were not in a group (and did not have permission to access all groups) could see entries from members of all groups in the activity, rather than just entries of users also not in any groups. Note: Users within groups worked as intended, only able to see entries belonging to other members of their group(s).
| Severity/Risk: | Minor |
| Versions affected: | 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions |
| Versions fixed: | 4.5.1, 4.4.5, 4.3.9 and 4.1.15 |
| Reported by: | Jaron Cohen |
| CVE identifier: | CVE-2024-55646 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82757 |
| Tracker issue: | MDL-82757 Database activity issue in separate groups mode, for users not in a group |
On sites requiring a confirmation step to update a user's email address, the token used to verify the change should only be accessible via the confirmation email, but was otherwise retrievable by the user.
| Severity/Risk: | Minor |
| Versions affected: | 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions |
| Versions fixed: | 4.5.1, 4.4.5, 4.3.9 and 4.1.15 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2024-55645 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82379 |
| Tracker issue: | MDL-82379 Email change confirmation token available via preference |