Security announcements

MSA-25-0023: Authenticated remote code execution risk in the Moodle LMS Dropbox repository

por Michael Hawkins -

A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default this was only available to teachers and managers, on sites with the Dropbox repository enabled.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
Workaround: Disable the Dropbox repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories).
CVE identifier: CVE-2025-3641
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84475
Tracker issue: MDL-84475 Authenticated remote code execution risk in the Moodle LMS Dropbox repository
Discutir este tópico  (0 respostas)

MSA-25-0022: IDOR in web service allows users enrolled in a course to access some details of other users

por Michael Hawkins -

Insufficient capability checks made it possible for a user enrolled in a course to access some details (full name and profile image URL) of other users they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Khikhi
CVE identifier: CVE-2025-3640
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84750
Tracker issue: MDL-84750 IDOR in web service allows users enrolled in a course to access some details of other users
Discutir este tópico  (0 respostas)

MSA-25-0021: CSRF risk in Brickfield tool's analysis request action

por Michael Hawkins -

The analysis request action in the Brickfield tool did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3638
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84478
Tracker issue: MDL-84478 CSRF risk in Brickfield tool's analysis request action
Discutir este tópico  (0 respostas)

MSA-25-0020: mod_data edit/delete pages pass CSRF token in GET parameter

por Michael Hawkins -

A user's CSRF token was unnecessarily included in the URL on the database module's edit and delete pages.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Simon Reinhart
CVE identifier: CVE-2025-3637
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65356
Tracker issue: MDL-65356 mod_data edit/delete pages pass CSRF token in GET parameter
Discutir este tópico  (0 respostas)

MSA-25-0019: IDOR in RSS block allows access to additional RSS feeds

por Michael Hawkins -

Insufficient capability checks made it possible to view RSS feed content a user does not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3636
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84499
Tracker issue: MDL-84499 IDOR in RSS block allows access to additional RSS feeds
Discutir este tópico  (0 respostas)

MSA-25-0018: CSRF risk in user tours manager allows tour duplication

por Michael Hawkins -

The user tours duplicate tour action did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3635
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84479
Tracker issue: MDL-84479 CSRF risk in user tours manager allows tour duplication
Discutir este tópico  (0 respostas)

MSA-25-0017: Self enrolment available before completing second factor with MFA enabled

por Michael Hawkins -

On sites with Multi-Factor Authentication enabled, it was possible to use course self enrolment after passing only the first login factor (such as passing a username/password check). The user should also have to pass a second login factor before gaining access to self enrolment.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: Guillaume Barat
CVE identifier: CVE-2025-3634
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84784
Tracker issue: MDL-84784 Self enrolment available before completing second factor with MFA enabled
Discutir este tópico  (0 respostas)

MSA-25-0016: Assignment submissions search on anonymous submissions reveals student identities

por Michael Hawkins -

Additional capability checks were required to prevent teachers from being able to identify a user's anonymous assignment submissions via the submissions search.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3
Versions fixed: 4.5.4
Reported by: Eliot
CVE identifier: CVE-2025-3628
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84447
Tracker issue: MDL-84447 Assignment submissions search on anonymous submissions reveals student identities
Discutir este tópico  (0 respostas)

MSA-25-0015: Some user data available before completing second factor with MFA enabled

por Michael Hawkins -

On sites with Multi-Factor Authentication enabled, it was possible for a user to access some of their data after passing only the first login factor (such as passing a username/password check). The user should have to also pass a second factor check before gaining access to that data.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: AntnioVilelac
CVE identifier: CVE-2025-3627
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84351
Tracker issue: MDL-84351 Some user data available before completing second factor with MFA enabled
Discutir este tópico  (0 respostas)

MSA-25-0014: User DoS and name disclosure risks via IDOR in MFA email factor revoke action

por Michael Hawkins -

A missing check in the Multi-Factor Authentication email factor's revoke/cancel action could lead to a Denial of Service risk for users logging in who have email as their only available second factor. If exploited, the impacted user's name was disclosed.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: vi22
CVE identifier: CVE-2025-3625
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85015
Tracker issue: MDL-85015 User DoS and name disclosure risks via IDOR in MFA email factor revoke action
Discutir este tópico  (0 respostas)