SB2026032622 - Fedora 42 update for moodle

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026032622

SB2026032622 - Fedora 42 update for moodle

Published: March 26, 2026

Security Bulletin ID SB2026032622
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 14% Medium 86%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Incorrect authorization (CVE-ID: CVE-2025-62394)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to insufficient enrolment checks. A remote user with inactive enrolment in the course can gain access to quiz notifications.


2) Improper access control (CVE-ID: CVE-2025-62395)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to external cohort search service method leaks system cohort data. A remote user can bypass implemented security restrictions and gain unauthorized access to sensitive information.


3) Exposure of Information Through Directory Listing (CVE-ID: CVE-2025-62396)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect error handling in the routing system. A remote attacker can gain unauthorized access to sensitive information on the system.


4) Improper Authentication (CVE-ID: CVE-2025-62398)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to incorrect handling of some endpoints during login. A remote user can bypass the second factor of multi-factor authentication.


5) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2025-62399)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected application does not limit the number of password attempts when the mobile client and auth_webservice were enabled. A remote attacker can brute force password checks against known usernames.


6) Information disclosure (CVE-ID: CVE-2025-62400)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insufficient capability checks. A remote user with access to create group calendar events can see hidden and separate groups in the list of groups to select for calendar events.


7) Improper Authorization (CVE-ID: CVE-2025-62401)

The vulnerability allows a remote user to bypass authorization checks.

The vulnerability exists due to improper authorization. A remote user can bypass the timed restriction on a timed assignment.


Remediation

Install update from vendor's website.

References