Security announcements

MSA-25-0002: Feedback response viewing and deletions did not respect Separate Groups mode

by Michael Hawkins -

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: Leon Stringer
CVE identifier: CVE-2025-26526
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976
Tracker issue: MDL-79976 Feedback response viewing and deletions did not respect Separate Groups mode
Discuss this topic  (0 replies so far)

MSA-25-0001: Arbitrary file read risk through pdfTeX

by Michael Hawkins -

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: vicevirus
CVE identifier: CVE-2025-26525
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136
Tracker issue: MDL-84136 Arbitrary file read risk through pdfTeX
Discuss this topic  (0 replies so far)

MSA-24-0056: Potential denial of service risk due to guest sessions' longer timeout period

by Michael Hawkins -

Guest user sessions were given a longer timeout than authenticated users, which could result in an elevated denial of service risk.

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Jerome Charaoui
CVE identifier: CVE-2024-55648
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61316
Tracker issue: MDL-61316 Potential denial of service risk due to guest sessions' longer timeout period
Discuss this topic  (0 replies so far)

MSA-24-0055: Reflected XSS in question bank filter

by Michael Hawkins -

Question bank filtering required additional sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4 and 4.3 to 4.3.8
Versions fixed: 4.5.1, 4.4.5, and 4.3.9
Reported by: Andrey Alekseev (Positive Technologies)
CVE identifier: CVE-2024-55647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83357
Tracker issue: MDL-83357 Reflected XSS in question bank filter
Discuss this topic  (0 replies so far)

MSA-24-0054: Database activity issue in separate groups mode, for users not in a group

by Michael Hawkins -

In a database activity with separate groups mode enabled, users who were not in a group (and did not have permission to access all groups) could see entries from members of all groups in the activity, rather than just entries of users also not in any groups. Note: Users within groups worked as intended, only able to see entries belonging to other members of their group(s).

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Jaron Cohen
CVE identifier: CVE-2024-55646
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82757
Tracker issue: MDL-82757 Database activity issue in separate groups mode, for users not in a group
Discuss this topic  (0 replies so far)

MSA-24-0053: Email change confirmation token available via preference

by Michael Hawkins -

On sites requiring a confirmation step to update a user's email address, the token used to verify the change should only be accessible via the confirmation email, but was otherwise retrievable by the user.

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-55645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82379
Tracker issue: MDL-82379 Email change confirmation token available via preference
Discuss this topic  (0 replies so far)

MSA-24-0052: Tag index page displays other users tagged with the selected tag

by Michael Hawkins -

Insufficient checks meant users could see users tagged with a tag, regardless of whether they had access to view the users' profiles.

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Frederik Milling Pytlick
CVE identifier: CVE-2024-55644
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82963
Tracker issue: MDL-82963 Tag index page displays other users tagged with the selected tag
Discuss this topic  (0 replies so far)

MSA-24-0051: Unprotected access to sensitive information via learning plan web service

by Michael Hawkins -

Insufficient capability checks in a learning plan web service could result in users having the ability to retrieve information they did not have permission to access (such as users' names).

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: lUcgryy
CVE identifier: CVE-2024-55643
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83921
Tracker issue: MDL-83921 Unprotected access to sensitive information via learning plan web service
Discuss this topic  (0 replies so far)

MSA-24-0050: IDOR when fetching report schedules

by Michael Hawkins -

Additional checks were required to ensure users can only access the schedule of a report if they have permission to edit that report.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48901
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83180
Tracker issue: MDL-83180 IDOR when fetching report schedules
Discuss this topic  (0 replies so far)

MSA-24-0049: IDOR when accessing list of badge recipients

by Michael Hawkins -

Additional checks were required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48900
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83178
Tracker issue: MDL-83178 IDOR when accessing list of badge recipients
Discuss this topic  (0 replies so far)