Security announcements

MSA-25-0028: IDOR when accessing the cohorts report

על ידי Michael Hawkins בתאריך

Additional checks were required to ensure users can only fetch cohort data they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Paul Holden
CVE identifier: CVE-2025-3647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84865
Tracker issue: MDL-84865 IDOR when accessing the cohorts report
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0027: IDOR in messaging web service allows access to some user details

על ידי Michael Hawkins בתאריך

Insufficient capability checks in a messaging web service made it possible to view other users' names and online status.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: ostapbender
CVE identifier: CVE-2025-3645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72704
Tracker issue: MDL-72704 IDOR in messaging web service allows access to some user details
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0026: AJAX section delete does not respect course_can_delete_section()

על ידי Michael Hawkins בתאריך

Additional checks were required to prevent users deleting course sections they did not have permission to modify.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: James E. Calder
CVE identifier: CVE-2025-3644
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83994
Tracker issue: MDL-83994 AJAX section delete does not respect course_can_delete_section()
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0025: Reflected XSS risk in policy tool

על ידי Michael Hawkins בתאריך

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
CVE identifier: CVE-2025-3643
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85104
Tracker issue: MDL-85104 Reflected XSS risk in policy tool
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0024: Authenticated remote code execution risk in the Moodle LMS EQUELLA repository

על ידי Michael Hawkins בתאריך

A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default this was only available to teachers and managers, on sites with the EQUELLA repository enabled.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
Workaround: Disable the EQUELLA repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories).
CVE identifier: CVE-2025-3642
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84473
Tracker issue: MDL-84473 Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0023: Authenticated remote code execution risk in the Moodle LMS Dropbox repository

על ידי Michael Hawkins בתאריך

A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default this was only available to teachers and managers, on sites with the Dropbox repository enabled.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
Workaround: Disable the Dropbox repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories).
CVE identifier: CVE-2025-3641
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84475
Tracker issue: MDL-84475 Authenticated remote code execution risk in the Moodle LMS Dropbox repository
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0022: IDOR in web service allows users enrolled in a course to access some details of other users

על ידי Michael Hawkins בתאריך

Insufficient capability checks made it possible for a user enrolled in a course to access some details (full name and profile image URL) of other users they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Khikhi
CVE identifier: CVE-2025-3640
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84750
Tracker issue: MDL-84750 IDOR in web service allows users enrolled in a course to access some details of other users
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0021: CSRF risk in Brickfield tool's analysis request action

על ידי Michael Hawkins בתאריך

The analysis request action in the Brickfield tool did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3638
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84478
Tracker issue: MDL-84478 CSRF risk in Brickfield tool's analysis request action
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0020: mod_data edit/delete pages pass CSRF token in GET parameter

על ידי Michael Hawkins בתאריך

A user's CSRF token was unnecessarily included in the URL on the database module's edit and delete pages.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Simon Reinhart
CVE identifier: CVE-2025-3637
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65356
Tracker issue: MDL-65356 mod_data edit/delete pages pass CSRF token in GET parameter
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)

MSA-25-0019: IDOR in RSS block allows access to additional RSS feeds

על ידי Michael Hawkins בתאריך

Insufficient capability checks made it possible to view RSS feed content a user does not have permission to access.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions
Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2025-3636
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84499
Tracker issue: MDL-84499 IDOR in RSS block allows access to additional RSS feeds
תצוגה מלאה של הדיון והתגובות  (0 תגובות עד כה)