Security announcements

MSA-25-0018: CSRF risk in user tours manager allows tour duplication

by Michael Hawkins -

The user tours duplicate tour action did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3635
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84479
Tracker issue: MDL-84479 CSRF risk in user tours manager allows tour duplication

MSA-25-0017: Self enrolment available before completing second factor with MFA enabled

by Michael Hawkins -

On sites with Multi-Factor Authentication enabled, it was possible to use course self enrolment after passing only the first login factor (such as passing a username/password check). The user should also have to pass a second login factor before gaining access to self enrolment.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: Guillaume Barat
CVE identifier: CVE-2025-3634
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84784
Tracker issue: MDL-84784 Self enrolment available before completing second factor with MFA enabled

MSA-25-0016: Assignment submissions search on anonymous submissions reveals student identities

by Michael Hawkins -

Additional capability checks were required to prevent teachers from being able to identify a user's anonymous assignment submissions via the submissions search.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3
Versions fixed: 4.5.4
Reported by: Eliot
CVE identifier: CVE-2025-3628
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84447
Tracker issue: MDL-84447 Assignment submissions search on anonymous submissions reveals student identities

MSA-25-0015: Some user data available before completing second factor with MFA enabled

by Michael Hawkins -

On sites with Multi-Factor Authentication enabled, it was possible for a user to access some of their data after passing only the first login factor (such as passing a username/password check). The user should have to also pass a second factor check before gaining access to that data.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: AntnioVilelac
CVE identifier: CVE-2025-3627
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84351
Tracker issue: MDL-84351 Some user data available before completing second factor with MFA enabled

MSA-25-0014: User DoS and name disclosure risks via IDOR in MFA email factor revoke action

by Michael Hawkins -

A missing check in the Multi-Factor Authentication email factor's revoke/cancel action could lead to a Denial of Service risk for users logging in who have email as their only available second factor. If exploited, the impacted user's name was disclosed.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed: 4.5.4, 4.4.8 and 4.3.12
Reported by: vi22
CVE identifier: CVE-2025-3625
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85015
Tracker issue: MDL-85015 User DoS and name disclosure risks via IDOR in MFA email factor revoke action

MSA-25-0013: Remote code execution risk via MimeTeX command (upstream)

by Michael Hawkins -

Insufficient sanitizing in an undocumented MimeTeX command resulted in a remote code execution risk for sites using MimeTeX (via the TeX Notation filter).

Please also note that due to MimeTeX being un-maintained and without security updates for an extended period of time, it is considered an increasing security risk and not recommended for production use (see workaround below). For this reason MimeTeX support will also be removed from Moodle LMS in the near future.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: TaiYou
Workaround: Disable the TeX Notation filter until the patch is applied. If an alternative mathematical formula filter is required, consider configuring the MathJax filter instead. Alternatively, if you provide valid paths to LaTeX, dvips and convert binaries in the TeX Notation filter settings, the filter will use those instead of MimeTeX, as MimeTeX is the filter's fallback option. If setting the TeX Notation filter binary paths, you may wish to additionally insert a false MimeTeX path such as "x" that is not a valid executable, so that even if the system attempts to use MimeTeX, it fails to execute (leaving it blank does not have the same effect, because it then uses a version of MimeTeX included with Moodle LMS).
CVE identifier: CVE-2024-40446
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85152
Tracker issue: MDL-85152 Remote code execution risk via MimeTeX command (upstream)

MSA-25-0012: Hidden grades are shown to users without permission on some grade reports

by Michael Hawkins -

Insufficient capability checks in some grade reports resulted in some hidden grades being available to users who did not have permission to view them.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.2, 4.4 to 4.4.6, 4.3 to 4.3.10, 4.1 to 4.1.16 and earlier unsupported versions
Versions fixed: 4.5.3, 4.4.7, 4.3.11 and 4.1.17
Reported by: Ilya Tregubov
CVE identifier: CVE-2025-32045
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81945
Tracker issue: MDL-81945 Hidden grades are shown to users without permission on some grade reports

(Updated 3 April 2025 to add the CVE identifier.)

MSA-25-0011: Unauthenticated REST API user data exposure

by Michael Hawkins -

On some sites it was possible to retrieve data stored in the users table such as name, contact information and hashed passwords, via a stack trace returned by an API call.

IMPORTANT NOTE: Sites where PHP is configured with zend.exception_ignore_args = 'On' or zend.exception_ignore_args = 1 in the relevant php.ini file are NOT affected by this vulnerability.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.2
Versions fixed: 4.5.3
Reported by: Lucas Alonso
Workaround: Set zend.exception_ignore_args = 'On' in the php.ini file(s) used by your Moodle LMS instance, if that is not already configured. Note that this should remain configured even after the patch is applied.
CVE identifier: CVE-2025-32044
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84879
Tracker issue: MDL-84879 Unauthenticated REST API user data exposure

MSA-25-0011 Further Information

On 14th March 2025, the above-mentioned critical bug was reported in the Moodle LMS 4.5 REST API whereby, in certain situations and when an error occurs, user details may be exposed. After a prompt in-depth analysis of the report, the root cause was identified and a patch and supporting remediation instructions were quickly developed.

This issue may have exposed some sensitive user details, including name, e-mail address, hashed password, last login IP, and some metadata. Passwords in Moodle LMS are heavily salted and hashed, as well as peppered (if configured). SHA-512 hashing has been in use since Moodle LMS 4.3, and support for peppers, which further increase password security, was added in that same release.

It is important to note that only sites running Moodle LMS 4.5 (4.5.0, 4.5.1 or 4.5.2) and which do not have the zend.exception_ignore_args setting enabled, and are using the internal Moodle LMS authentication system, are affected by this vulnerability. We strongly recommend if your site may be affected, that you require a password reset for all users as a precaution, and consider setting up multi-factor authentication and password peppers if they are not already enabled.

Steps to confirm if your site is vulnerable (for site administrators)

  1. Check if you are running an affected version (4.5.x):
    • Log in as admin and navigate to Site administration > General > Notifications.
    • Check the current version at the bottom of the page. If you are running Moodle LMS versions 4.5.0, 4.5.1, or 4.5.2, your site may be vulnerable. Other versions are not affected.
  2. Check if PHP has zend.exception_ignore_args is disabled:
    • Log in as admin and navigate to Site administration > Server > PHP Info.
    • Search for zend.exception_ignore_args.
    • If the value is off, you are susceptible to the issue. If it is on (set to 'On' or 1), you are not susceptible.
    • If you are not able to access the PHP Info screen, on your webserver you will need to check if your php.ini configuration contains: zend.exception_ignore_args = 'On' or zend.exception_ignore_args = 1. If neither of those are included, you are susceptible.

Steps if your site is affected

  1. Immediately configure zend.exception_ignore_args = 'On' in your PHP configuration. This should remain on even after the patch is applied.
  2. Apply the patch as soon as you are able to.
  3. Consider forcing all users to change their passwords, which can be achieved via the force password change option in Bulk user actions.
  4. If you wish, also enable Multi-Factor Authentication and password peppers.

(Updated 3 April 2025 to add the CVE identifier.)

MSA-25-0010: SQL injection risk in course search module list filter

by Michael Hawkins -

An SQL injection risk was identified in the module list filter within course search.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: Lars Bonczek
CVE identifier: CVE-2025-26533
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84271
Tracker issue: MDL-84271 SQL injection risk in course search module list filter

MSA-25-0009: Teachers can evade trusttext config when restoring glossary entries

by Michael Hawkins -

Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: Paul Holden
CVE identifier: CVE-2025-26532
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84003
Tracker issue: MDL-84003 Teachers can evade trusttext config when restoring glossary entries