Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN370

_____________________________________________________________________

DATE                : 18/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 5.0.1,
                               4.5.5, 4.4.9, 4.1.19.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=468500
https://moodle.org/mod/forum/discuss.php?d=468501
https://moodle.org/mod/forum/discuss.php?d=468502
https://moodle.org/mod/forum/discuss.php?d=468503
https://moodle.org/mod/forum/discuss.php?d=468504
https://moodle.org/mod/forum/discuss.php?d=468505
https://moodle.org/mod/forum/discuss.php?d=468506
https://moodle.org/mod/forum/discuss.php?d=468507
_____________________________________________________________________

MSA-25-0029: XSS risk in MathJax (safe extension not loaded)
par Michael Hawkins, mardi 17 juin 2025, 23:22


An extension was omitted from the MathJax configuration shipped
with Moodle when the library was upgraded in LMS 5.0, resulting
in an XSS risk.

Severity/Risk: 	Serious
Versions affected: 	5.0
Versions fixed: 	5.0.1
Reported by: 	Martin Gauk
CVE identifier: 	CVE-2025-49512
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85488
Tracker issue: 	MDL-85488 XSS risk in MathJax (safe extension
                  not loaded)
_____________________________________________________________________


MSA-25-0030: Password can be revealed in login page after log out
due to caching
par Michael Hawkins, mardi 17 juin 2025, 23:23


Additional cache controls were required to prevent web browsers
caching a user's password on the login page (note accessing this
would require access to the web browser on the device where the
user had logged in).

Severity/Risk: 	Minor
Versions affected: 	5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1
                    to 4.1.18 and earlier unsupported versions
Versions fixed: 	5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: 	Mark Johnson
CVE identifier: 	CVE-2025-49513
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85323
Tracker issue: 	MDL-85323 Password can be revealed in login
                 page after log out due to caching
_____________________________________________________________________


MSA-25-0031: Upgrade ADOdb including security fix (upstream)
par Michael Hawkins, mardi 17 juin 2025, 23:24


The upstream ADOdb library contained an SQL injection risk in the
pg_insert_id() method. It is important to note that the core
Moodle LMS was NOT affected by this vulnerability, however as a
precaution, this library has been upgraded to remove the risk
entirely, in case any third party code/plugins uses the vulnerable
code.

Severity/Risk: 	Serious
Versions affected: 	5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1
                   to 4.1.18 and earlier unsupported versions
Versions fixed: 	5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: 	Alex Chiou
CVE identifier: 	CVE-2025-46337
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85375
Tracker issue: 	MDL-85375 Upgrade ADOdb including security fix
                 (upstream)
_____________________________________________________________________

MSA-25-0032: SSRF risk via DNS rebind
par Michael Hawkins, mardi 17 juin 2025, 23:25


A DNS rebind risk in the way cURL requests were handled could result
in an SSRF risk, due to the possibility of cURL blocked
hosts / allowed ports site configurations being bypassed.

Severity/Risk: 	Serious
Versions affected: 	5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to
                         4.1.18 and earlier unsupported versions
Versions fixed: 	5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: 	Rekter0 and Holme, 0x123456789, TaiYou, and
                       Vladislav Gladkiy (Positive Technologies)
CVE identifier: 	CVE-2025-49514
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83762
Tracker issue: 	MDL-83762 SSRF risk via DNS rebind
_____________________________________________________________________

MSA-25-0033: Course visibility not honoured consistently
par Michael Hawkins, mardi 17 juin 2025, 23:26


Insufficient state and capability checks resulted in some details
of hidden courses (such as course name, description and teachers)
being available to users who did not have permission to access them.

Severity/Risk: 	Serious
Versions affected: 	5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to
                       4.1.18 and earlier unsupported versions
Versions fixed: 	5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: 	Vincent Schneider
CVE identifier: 	CVE-2025-49515
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84518
Tracker issue: 	MDL-84518 Course visibility not honoured consistently
_____________________________________________________________________


MSA-25-0034: CSRF risk in badges backpack management
par Michael Hawkins, mardi 17 juin 2025, 23:26


The "move up" and "move down" actions in backpack management for
badges did not include the necessary token to prevent a CSRF risk.

Severity/Risk: 	Minor
Versions affected: 	5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to
                       4.1.18 and earlier unsupported versions
Versions fixed: 	5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: 	Vincent Schneider
CVE identifier: 	CVE-2025-49516
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84497
Tracker issue: 	MDL-84497 CSRF risk in badges backpack management

_____________________________________________________________________


MSA-25-0035: Missing authorisation checks in BigBlueButton view page
par Michael Hawkins, mardi 17 juin 2025, 23:27


Insufficient authorisation checks could result in users being able
to view BigBlueButton recordings they did not have permission to
access.

Severity/Risk: 	Serious
Versions affected: 	5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to
                       4.1.18 and earlier unsupported versions
Versions fixed: 	5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: 	Vincent Schneider
CVE identifier: 	CVE-2025-49517
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84706
Tracker issue: 	MDL-84706 Missing authorisation checks in
                 BigBlueButton view page
_____________________________________________________________________


MSA-25-0036: IDOR allows fetching of recently accessed courses for
other users via web service
par Michael Hawkins, mardi 17 juin 2025, 23:28


A stricter capability check was required to restrict which users
can fetch other users' recently accessed courses information.

Severity/Risk: 	Minor
Versions affected: 	5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1
                   to 4.1.18 and earlier unsupported versions
Versions fixed: 	5.0.1, 4.5.5, 4.4.9 and 4.1.19
Reported by: 	B3XAL
CVE identifier: 	CVE-2025-49518
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79993
Tracker issue: 	MDL-79993 IDOR allows fetching of recently
                 accessed courses for other users via web service

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================