SB2026032623 - Fedora 41 update for moodle

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2025-62395)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to external cohort search service method leaks system cohort data. A remote user can bypass implemented security restrictions and gain unauthorized access to sensitive information.

2) Improper Authentication (CVE-ID: CVE-2025-62398)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to incorrect handling of some endpoints during login. A remote user can bypass the second factor of multi-factor authentication.

3) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2025-62399)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected application does not limit the number of password attempts when the mobile client and auth_webservice were enabled. A remote attacker can brute force password checks against known usernames.

4) Information disclosure (CVE-ID: CVE-2025-62400)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insufficient capability checks. A remote user with access to create group calendar events can see hidden and separate groups in the list of groups to select for calendar events.

5) Improper Authorization (CVE-ID: CVE-2025-62401)

The vulnerability allows a remote user to bypass authorization checks.

The vulnerability exists due to improper authorization. A remote user can bypass the timed restriction on a timed assignment.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2025-d50e995e7d