Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN739 _____________________________________________________________________ DATE : 28/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 5.0.3, 4.5.7, 4.4.11, 4.1.21. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=470387 https://moodle.org/mod/forum/discuss.php?d=470381 https://moodle.org/mod/forum/discuss.php?d=470382 https://moodle.org/mod/forum/discuss.php?d=470383 https://moodle.org/mod/forum/discuss.php?d=470384 https://moodle.org/mod/forum/discuss.php?d=470385 https://moodle.org/mod/forum/discuss.php?d=470386 https://moodle.org/mod/forum/discuss.php?d=470388 https://moodle.org/mod/forum/discuss.php?d=470389 https://moodle.org/mod/forum/discuss.php?d=470390 _____________________________________________________________________ MSA-25-0047: Possible to bypass MFA par Michael Hawkins, mardi 14 octobre 2025, 14:44 Incorrect handling of some endpoints during login made it possible to bypass the second factor of multi-factor authentication. Note: A valid username and password were still required to log in. Severity/Risk: Serious Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6 and 4.4 to 4.4.10 Versions fixed: 5.0.3, 4.5.7 and 4.4.11 Reported by: Petr Skoda CVE identifier: CVE-2025-62398 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86334 Tracker issue: MDL-86334 Possible to bypass MFA _____________________________________________________________________ MSA-25-0041: Course access permissions are not properly checked in course_output_fragment_course_overview par Michael Hawkins, mardi 14 octobre 2025, 14:35 Insufficient handling of course access checks in a course overview function could results in the information being returned to a user who did not have access to the course. Severity/Risk: Minor Versions affected: 5.0 to 5.0.2 Versions fixed: 5.0.3 Reported by: Dani Palou CVE identifier: CVE-2025-62393 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86426 Tracker issue: MDL-86426 Course access permissions are not properly checked in course_output_fragment_course_overview _____________________________________________________________________ MSA-25-0042: Upgrade FPDI including security fix (upstream) par Michael Hawkins, mardi 14 octobre 2025, 14:42 The upstream FPDI library was upgraded, which included a security fix. Severity/Risk: Serious Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21 Reported by: Michael Hawkins CVE identifier: CVE-2025-54869 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86353 Tracker issue: MDL-86353 Upgrade FPDI including security fix (upstream) _____________________________________________________________________ MSA-25-0043: Quiz notifications sent to suspended course participants par Michael Hawkins, mardi 14 octobre 2025, 14:43 Insufficient enrolment checks could result in quiz notifications being sent to users who had an inactive enrolment in the course (such as being suspended or past their enrolment end date). Severity/Risk: Minor Versions affected: 5.0 to 5.0.2 and 4.5 to 4.5.6 Versions fixed: 5.0.3 and 4.5.7 Reported by: Philipp Hager CVE identifier: CVE-2025-62394 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86253 Tracker issue: MDL-86253 Quiz notifications sent to suspended course participants _____________________________________________________________________ MSA-25-0044: External cohort search service method leaks system cohort data par Michael Hawkins, mardi 14 octobre 2025, 14:43 Insufficient capability checks meant a user with permission to manage/view cohorts in a lower context could retrieve data about cohorts defined in the system context, that they would not otherwise have access to. Severity/Risk: Minor Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21 Reported by: Paul Holden CVE identifier: CVE-2025-62395 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85421 Tracker issue: MDL-85421 External cohort search service method leaks system cohort data _____________________________________________________________________ MSA-25-0045: When using router (r.php) it was possible for the server to show application directories par Michael Hawkins, mardi 14 octobre 2025, 14:44 Incorrect error handling in the routing system could result in the application directories being listed if the "Accept text/html" header was not configured. Severity/Risk: Minor Versions affected: 5.0 to 5.0.2 and 4.5 to 4.5.6 Versions fixed: 5.0.3 and 4.5.7 Reported by: Yedidia Klein CVE identifier: CVE-2025-62396 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86494 Tracker issue: MDL-86494 When using router (r.php) it was possible for the server to show application directories _____________________________________________________________________ MSA-25-0046: Router produces JSON instead of 404 error when passed a non-existent course ID par Michael Hawkins, mardi 14 octobre 2025, 14:44 The router made it possible to determine valid course IDs due to inconsistent handling of valid and non-existent course IDs. Severity/Risk: Minor Versions affected: 5.0 to 5.0.2 Versions fixed: 5.0.3 Reported by: Adam Jenkins CVE identifier: CVE-2025-62397 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86335 Tracker issue: MDL-86335 Router produces JSON instead of 404 error when passed a non-existent course ID _____________________________________________________________________ MSA-25-0048: Password brute force risk when mobile/web services enabled par Michael Hawkins, mardi 14 octobre 2025, 14:45 It was possible to brute force password checks against known usernames when the mobile client and auth_webservice were enabled. Severity/Risk: Minor Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21 Reported by: Petr Skoda CVE identifier: CVE-2025-62399 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86327 Tracker issue: MDL-86327 Password brute force risk when mobile/web services enabled _____________________________________________________________________ MSA-25-0049: Names of hidden groups are visible to users with access to create group calendar events par Michael Hawkins, mardi 14 octobre 2025, 14:45 Insufficient capability checks meant users with the capability to create group events, but without the capability to view hidden groups, could see hidden and separate groups in the list of groups to select for calendar events. Severity/Risk: Minor Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21 Reported by: Robert Toth CVE identifier: CVE-2025-62400 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86261 Tracker issue: MDL-86261 Names of hidden groups are visible to users with access to create group calendar events _____________________________________________________________________ MSA-25-0050: Possible to bypass timer in timed assignments par Michael Hawkins, mardi 14 octobre 2025, 14:45 There was a behaviour that made it possible for a student to bypass the timed restriction on a timed assignment. Severity/Risk: Minor Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21 Reported by: Charles Fulton CVE identifier: CVE-2025-62401 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75087 Tracker issue: MDL-75087 Possible to bypass timer in timed assignments ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================