Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN862 _____________________________________________________________________ DATE : 16/12/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 5.1.1, 5.0.4, 4.5.8, 4.4.12, 4.1.22. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=471298 https://moodle.org/mod/forum/discuss.php?d=471297 https://moodle.org/mod/forum/discuss.php?d=470390 https://moodle.org/mod/forum/discuss.php?d=471299 https://moodle.org/mod/forum/discuss.php?d=471300 https://moodle.org/mod/forum/discuss.php?d=471301 https://moodle.org/mod/forum/discuss.php?d=471302 https://moodle.org/mod/forum/discuss.php?d=471303 https://moodle.org/mod/forum/discuss.php?d=471304 https://moodle.org/mod/forum/discuss.php?d=471305 https://moodle.org/mod/forum/discuss.php?d=471306 https://moodle.org/mod/forum/discuss.php?d=471307 _____________________________________________________________________ MSA-25-0052: Authentication via LTI Provider available to suspended users par Michael Hawkins, lundi 15 décembre 2025, 20:19 Suspended users were not prevented from authenticating via the LTI Provider Severity/Risk: Serious Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Attilio Ferrari CVE identifier: CVE-2025-67848 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87286 Tracker issue: MDL-87286 Authentication via LTI Provider available to suspended users _____________________________________________________________________ MSA-25-0051: Remote code execution risk via file restore par Michael Hawkins, lundi 15 décembre 2025, 20:18 A remote code execution risk was identified in the file restore functionality. Severity/Risk: Serious Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Dinhnhi CVE identifier: CVE-2025-67847 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87353 Tracker issue: MDL-87353 Remote code execution risk via file restore _____________________________________________________________________ MSA-25-0050: Possible to bypass timer in timed assignments par Michael Hawkins, mardi 14 octobre 2025, 14:45 There was a behaviour that made it possible for a student to bypass the timed restriction on a timed assignment. Severity/Risk: Minor Versions affected: 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions Versions fixed: 5.0.3, 4.5.7, 4.4.11 and 4.1.21 Reported by: Charles Fulton CVE identifier: CVE-2025-62401 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75087 Tracker issue: MDL-75087 Possible to bypass timer in timed assignments _____________________________________________________________________ MSA-25-0053: XSS risk via AI prompt injection par Michael Hawkins, lundi 15 décembre 2025, 20:19 Insufficient sanitizing of AI provider responses resulted in an XSS risk. Severity/Risk: Serious Versions affected: 5.1, 5.0 to 5.0.3 and 4.5 to 4.5.7 Versions fixed: 5.1.1, 5.0.4 and 4.5.8 Reported by: Vuln37 CVE identifier: CVE-2025-67849 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87267 Tracker issue: MDL-87267 XSS risk via AI prompt injection _____________________________________________________________________ MSA-25-0054: XSS risk in formula editor par Michael Hawkins, lundi 15 décembre 2025, 20:20 Insufficient sanitizing in the formula editor could result in an XSS risk. Severity/Risk: Serious Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Aleksey Solovev (Positive Technologies) CVE identifier: CVE-2025-67850 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85557 Tracker issue: MDL-85557 XSS risk in formula editor _____________________________________________________________________ MSA-25-0055: Formula injection risk when exporting data to CSV / Excel par Michael Hawkins, lundi 15 décembre 2025, 20:21 Insufficient sanitizing when exporting data to CSV / XLSX format could result in malicious formulas being inserted into the files. Note: Most modern spreadsheet software will warn users and require confirmation before running potentially risky formulas, however this is still considered a risk as users may still accept the warning. Severity/Risk: Serious Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Brendan Heywood CVE identifier: CVE-2025-67851 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72744 Tracker issue: MDL-72744 Formula injection risk when exporting data to CSV / Excel _____________________________________________________________________ MSA-25-0056: Open redirect in OAuth login par Michael Hawkins, lundi 15 décembre 2025, 20:21 An open redirect risk existed in the OAuth login functionality. Severity/Risk: Minor Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Paolo Lazzaroni CVE identifier: CVE-2025-67852 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80317 Tracker issue: MDL-80317 Open redirect in OAuth login _____________________________________________________________________ MSA-25-0057: Password brute force risk from confirmation email web service par Michael Hawkins, lundi 15 décembre 2025, 20:22 Insufficient checks on a confirmation email web service made it easier to brute force password checks against known usernames. Severity/Risk: Minor Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Petr Skoda CVE identifier: CVE-2025-67853 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86326 Tracker issue: MDL-86326 Password brute force risk from confirmation email web service _____________________________________________________________________ MSA-25-0058: Participants can access forum ratings without permission par Michael Hawkins, lundi 15 décembre 2025, 20:22 Forum ratings required additional permission checks to prevent users from being able to view ratings they did not have the capability to access. Severity/Risk: Minor Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Stefan Hanauska CVE identifier: CVE-2025-67854 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86960 Tracker issue: MDL-86960 Participants can access forum ratings without permission _____________________________________________________________________ MSA-25-0059: Reflected XSS risk in policy tool par Michael Hawkins, lundi 15 décembre 2025, 20:23 The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk. Severity/Risk: Serious Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Nicecatch2000 CVE identifier: CVE-2025-67855 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86544 Tracker issue: MDL-86544 Reflected XSS risk in policy tool _____________________________________________________________________ MSA-25-0060: Badges with a role criterion could be awarded to users who do not hold the role par Michael Hawkins, lundi 15 décembre 2025, 20:23 Badges being awarded with a role performed the correct capability check, but did not verify the user had the required role to meet the award criterion. Severity/Risk: Minor Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Stefan Hanauska CVE identifier: CVE-2025-67856 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86507 Tracker issue: MDL-86507 Badges with a role criterion could be awarded to users who do not hold the role _____________________________________________________________________ MSA-25-0061: User IDs exposed in URLs when using anonymous submissions in assignment par Michael Hawkins, lundi 15 décembre 2025, 20:23 When blind marking is enabled for an assignment, user IDs remained visible on the assignment submissions page instead of being masked. Severity/Risk: Minor Versions affected: 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions Versions fixed: 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 Reported by: Mihail Geshoski CVE identifier: CVE-2025-67857 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82808 Tracker issue: MDL-82808 User IDs exposed in URLs when using anonymous submissions in assignment ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================