Security announcements | Moodle.org

The user tours duplicate tour action did not include the necessary token to prevent a CSRF risk.

On sites with Multi-Factor Authentication enabled, it was possible to use course self enrolment after passing only the first login factor (such as passing a username/password check). The user should also have to pass a second login factor before gaining access to self enrolment.

Additional capability checks were required to prevent teachers from being able to identify a user's anonymous assignment submissions via the submissions search.

On sites with Multi-Factor Authentication enabled, it was possible for a user to access some of their data after passing only the first login factor (such as passing a username/password check). The user should have to also pass a second factor check before gaining access to that data.

A missing check in the Multi-Factor Authentication email factor's revoke/cancel action could lead to a Denial of Service risk for users logging in who have email as their only available second factor. If exploited, the impacted user's name was disclosed.

Insufficient sanitizing in an undocumented MimeTeX command resulted in a remote code execution risk for sites using MimeTeX (via the TeX Notation filter).

Please also note that due to MimeTeX being un-maintained and without security updates for an extended period of time, it is considered an increasing security risk and not recommended for production use (see workaround below). For this reason MimeTeX support will also be removed from Moodle LMS in the near future.

Insufficient capability checks in some grade reports resulted in some hidden grades being available to users who did not have permission to view them.

(Updated 3 April 2025 to add the CVE identifier.)

On some sites it was possible to retrieve data stored in the users table such as name, contact information and hashed passwords, via a stack trace returned by an API call.

IMPORTANT NOTE: Sites where PHP is configured with zend.exception_ignore_args = 'On' or zend.exception_ignore_args = 1 in the relevant php.ini file are NOT affected by this vulnerability.

MSA-25-0011 Further Information

On 14th March 2025, the above-mentioned critical bug was reported in the Moodle LMS 4.5 REST API whereby, in certain situations and when an error occurs, user details may be exposed. After a prompt in-depth analysis of the report, the root cause was identified and a patch and supporting remediation instructions were quickly developed.

This issue may have exposed some sensitive user details, including name, e-mail address, hashed password, last login IP, and some metadata. Passwords in Moodle LMS are heavily salted and hashed, as well as peppered (if configured). SHA-512 hashing has been in use since Moodle LMS 4.3, and support for peppers, which further increase password security, was added in that same release.

It is important to note that only sites running Moodle LMS 4.5 (4.5.0, 4.5.1 or 4.5.2) and which do not have the zend.exception_ignore_args setting enabled, and are using the internal Moodle LMS authentication system, are affected by this vulnerability. We strongly recommend if your site may be affected, that you require a password reset for all users as a precaution, and consider setting up multi-factor authentication and password peppers if they are not already enabled.

Steps to confirm if your site is vulnerable (for site administrators)

1. Check if you are running an affected version (4.5.x):
   • Log in as admin and navigate to Site administration > General > Notifications.
   • Check the current version at the bottom of the page. If you are running Moodle LMS versions 4.5.0, 4.5.1, or 4.5.2, your site may be vulnerable. Other versions are not affected.
2. Check if PHP has zend.exception_ignore_args is disabled:
   • Log in as admin and navigate to Site administration > Server > PHP Info.
   • Search for zend.exception_ignore_args.
   • If the value is off, you are susceptible to the issue. If it is on (set to 'On' or 1), you are not susceptible.
   • If you are not able to access the PHP Info screen, on your webserver you will need to check if your php.ini configuration contains: zend.exception_ignore_args = 'On' or zend.exception_ignore_args = 1. If neither of those are included, you are susceptible.

Steps if your site is affected

1. Immediately configure zend.exception_ignore_args = 'On' in your PHP configuration. This should remain on even after the patch is applied.
2. Apply the patch as soon as you are able to.
3. Consider forcing all users to change their passwords, which can be achieved via the force password change option in Bulk user actions.
4. If you wish, also enable Multi-Factor Authentication and password peppers.

(Updated 3 April 2025 to add the CVE identifier.)

An SQL injection risk was identified in the module list filter within course search.

Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.