Security announcements

MSA-25-0033: Course visibility not honoured consistently

por Michael Hawkins -

Insufficient state and capability checks resulted in some details of hidden courses (such as course name, description and teachers) being available to users who did not have permission to access them.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Vincent Schneider
CVE identifier: CVE-2025-49515
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84518
Tracker issue: MDL-84518 Course visibility not honoured consistently
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0032: SSRF risk via DNS rebind

por Michael Hawkins -

A DNS rebind risk in the way cURL requests were handled could result in an SSRF risk, due to the possibility of cURL blocked hosts / allowed ports site configurations being bypassed.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Rekter0 and Holme, 0x123456789, TaiYou, and Vladislav Gladkiy (Positive Technologies)
CVE identifier: CVE-2025-49514
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83762
Tracker issue: MDL-83762 SSRF risk via DNS rebind
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0031: Upgrade ADOdb including security fix (upstream)

por Michael Hawkins -

The upstream ADOdb library contained an SQL injection risk in the pg_insert_id() method. It is important to note that the core Moodle LMS was NOT affected by this vulnerability, however as a precaution, this library has been upgraded to remove the risk entirely, in case any third party code/plugins uses the vulnerable code.

Severity/Risk: Serious
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Alex Chiou
CVE identifier: CVE-2025-46337
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85375
Tracker issue: MDL-85375 Upgrade ADOdb including security fix (upstream)
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0030: Password can be revealed in login page after log out due to caching

por Michael Hawkins -

Additional cache controls were required to prevent web browsers caching a user's password on the login page (note accessing this would require access to the web browser on the device where the user had logged in).

Severity/Risk: Minor
Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions
Versions fixed: 5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: Mark Johnson
CVE identifier: CVE-2025-49513
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85323
Tracker issue: MDL-85323 Password can be revealed in login page after log out due to caching
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0029: XSS risk in MathJax (safe extension not loaded)

por Michael Hawkins -

An extension was omitted from the MathJax configuration shipped with Moodle when the library was upgraded in LMS 5.0, resulting in an XSS risk.

Severity/Risk: Serious
Versions affected: 5.0
Versions fixed: 5.0.1
Reported by: Martin Gauk
CVE identifier: CVE-2025-49512
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85488
Tracker issue: MDL-85488 XSS risk in MathJax (safe extension not loaded)
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0028: IDOR when accessing the cohorts report

por Michael Hawkins -

Additional checks were required to ensure users can only fetch cohort data they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Paul Holden
CVE identifier: CVE-2025-3647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84865
Tracker issue: MDL-84865 IDOR when accessing the cohorts report
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0027: IDOR in messaging web service allows access to some user details

por Michael Hawkins -

Insufficient capability checks in a messaging web service made it possible to view other users' names and online status.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: ostapbender
CVE identifier: CVE-2025-3645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72704
Tracker issue: MDL-72704 IDOR in messaging web service allows access to some user details
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0026: AJAX section delete does not respect course_can_delete_section()

por Michael Hawkins -

Additional checks were required to prevent users deleting course sections they did not have permission to modify.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: James E. Calder
CVE identifier: CVE-2025-3644
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83994
Tracker issue: MDL-83994 AJAX section delete does not respect course_can_delete_section()
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0025: Reflected XSS risk in policy tool

por Michael Hawkins -

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
CVE identifier: CVE-2025-3643
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85104
Tracker issue: MDL-85104 Reflected XSS risk in policy tool
Discutir este tópico/tema  (0 respuestas hasta el momento)

MSA-25-0024: Authenticated remote code execution risk in the Moodle LMS EQUELLA repository

por Michael Hawkins -

A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default this was only available to teachers and managers, on sites with the EQUELLA repository enabled.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
Workaround: Disable the EQUELLA repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories).
CVE identifier: CVE-2025-3642
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84473
Tracker issue: MDL-84473 Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
Discutir este tópico/tema  (0 respuestas hasta el momento)