CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53021
https://notcve.org/view.php?id=CVE-2025-53021
24 Jun 2025 — A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects produc... • https://github.com/moodle/moodle/releases/tag/v3.11.18 • CWE-384: Session Fixation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32045 – Moodle: hidden grades shown to users without permission on some grade reports
https://notcve.org/view.php?id=CVE-2025-32045
25 Apr 2025 — A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades. • https://access.redhat.com/security/cve/CVE-2025-32045 • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32044 – Moodle: unauthenticated rest api user data exposure
https://notcve.org/view.php?id=CVE-2025-32044
25 Apr 2025 — A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability. • https://access.redhat.com/security/cve/CVE-2025-32044 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3647 – Moodle: idor when accessing the cohorts report
https://notcve.org/view.php?id=CVE-2025-3647
25 Apr 2025 — A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve. • https://access.redhat.com/security/cve/CVE-2025-3647 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3645 – Moodle: idor in messaging web service allows access to some user details
https://notcve.org/view.php?id=CVE-2025-3645
25 Apr 2025 — A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses. • https://access.redhat.com/security/cve/CVE-2025-3645 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3644 – Moodle: ajax section delete does not respect course_can_delete_section()
https://notcve.org/view.php?id=CVE-2025-3644
25 Apr 2025 — A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify. • https://access.redhat.com/security/cve/CVE-2025-3644 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3643 – Moodle: reflected xss risk in policy tool
https://notcve.org/view.php?id=CVE-2025-3643
25 Apr 2025 — A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk. • https://access.redhat.com/security/cve/CVE-2025-3643 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3642 – Moodle: authenticated remote code execution risk in the moodle lms equella repository
https://notcve.org/view.php?id=CVE-2025-3642
25 Apr 2025 — A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled. • https://access.redhat.com/security/cve/CVE-2025-3642 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3641 – Moodle: authenticated remote code execution risk in the moodle lms dropbox repository
https://notcve.org/view.php?id=CVE-2025-3641
25 Apr 2025 — A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled. • https://access.redhat.com/security/cve/CVE-2025-3641 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3640 – Moodle: idor in web service allows users enrolled in a course to access some details of other users
https://notcve.org/view.php?id=CVE-2025-3640
25 Apr 2025 — A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access. • https://access.redhat.com/security/cve/CVE-2025-3640 • CWE-639: Authorization Bypass Through User-Controlled Key •