Security announcements

MSA-25-0008: IDOR in badges allows disabling of arbitrary badges

- Michael Hawkins の投稿

Insufficient capability checks made it possible to disable badges a user does not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: Paul Holden
CVE identifier: CVE-2025-26531
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239
Tracker issue: MDL-84239 IDOR in badges allows disabling of arbitrary badges

MSA-25-0007: Upgrade RequireJS including security fix (upstream)

- Michael Hawkins の投稿

The upstream RequireJS library was upgraded, which included a security fix.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: Paola Maneggia
CVE identifier: CVE-2024-38999 (upstream)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84023
Tracker issue: MDL-84023 Upgrade RequireJS including security fix (upstream)

MSA-25-0006: Reflected XSS via question bank filter

- Michael Hawkins の投稿

The question bank filter required additional sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5 and 4.3 to 4.3.9
Versions fixed: 4.5.2, 4.4.6 and 4.3.10
Reported by: Hect0r
CVE identifier: CVE-2025-26530
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84146
Tracker issue: MDL-84146 Reflected XSS via question bank filter

MSA-25-0005: Stored XSS risk in admin live log

- Michael Hawkins の投稿

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: nightbloodz
CVE identifier: CVE-2025-26529
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145
Tracker issue: MDL-84145 Stored XSS risk in admin live log

MSA-25-0004: Stored XSS in ddimageortext question type

- Michael Hawkins の投稿

The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-26528
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82896
Tracker issue: MDL-82896 Stored XSS in ddimageortext question type

MSA-25-0003: Non-searchable tags can still be discovered on the tag search page and in the tags block

- Michael Hawkins の投稿

Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: Marina Glancy
CVE identifier: CVE-2025-26527
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83941
Tracker issue: MDL-83941 Non-searchable tags can still be discovered on the tag search page and in the tags block

MSA-25-0002: Feedback response viewing and deletions did not respect Separate Groups mode

- Michael Hawkins の投稿

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: Leon Stringer
CVE identifier: CVE-2025-26526
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976
Tracker issue: MDL-79976 Feedback response viewing and deletions did not respect Separate Groups mode

MSA-25-0001: Arbitrary file read risk through pdfTeX

- Michael Hawkins の投稿

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: vicevirus
CVE identifier: CVE-2025-26525
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136
Tracker issue: MDL-84136 Arbitrary file read risk through pdfTeX

MSA-24-0056: Potential denial of service risk due to guest sessions' longer timeout period

- Michael Hawkins の投稿

Guest user sessions were given a longer timeout than authenticated users, which could result in an elevated denial of service risk.

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Jerome Charaoui
CVE identifier: CVE-2024-55648
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61316
Tracker issue: MDL-61316 Potential denial of service risk due to guest sessions' longer timeout period

MSA-24-0055: Reflected XSS in question bank filter

- Michael Hawkins の投稿

Question bank filtering required additional sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4 and 4.3 to 4.3.8
Versions fixed: 4.5.1, 4.4.5, and 4.3.9
Reported by: Andrey Alekseev (Positive Technologies)
CVE identifier: CVE-2024-55647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83357
Tracker issue: MDL-83357 Reflected XSS in question bank filter