SB2026032640 - Multiple vulnerabilities in Moodle
Published: March 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: CVE-2025-67848)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper handling of insufficient permissions or privileges. A remote suspended user can authenticate via the LTI Provider.
2) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2025-67857)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when blind marking is enabled for an assignment. A remote user can gain access to user IDs.
3) Improper Authorization (CVE-ID: CVE-2025-67856)
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper authorization. A remote user who do not hold the role can be awarded with badges with a role criterion.
4) Cross-site scripting (CVE-ID: CVE-2025-67855)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in policy tool. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Improper access control (CVE-ID: CVE-2025-67854)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can access forum ratings without permission.
6) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2025-67853)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected application does not limit the number of password attempts within confirmation email web service. A remote attacker can brute force password checks on the target system.
7) Open redirect (CVE-ID: CVE-2025-67852)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in OAuth login. A remote user can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
8) Cross-site scripting (CVE-ID: CVE-2025-67850)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in formula editor. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Cross-site scripting (CVE-ID: CVE-2025-67849)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within AI provider responses. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://moodle.org/mod/forum/discuss.php?d=471298
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-87286&type=commits
- https://moodle.org/mod/forum/discuss.php?d=471307
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-82808&type=commits
- https://moodle.org/mod/forum/discuss.php?d=471306
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86507&type=commits
- https://moodle.org/mod/forum/discuss.php?d=471305
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86544&type=commits
- https://moodle.org/mod/forum/discuss.php?d=471304
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86960&type=commits
- https://moodle.org/mod/forum/discuss.php?d=471303
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-86326&type=commits
- https://moodle.org/mod/forum/discuss.php?d=471302
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-80317&type=commits
- https://moodle.org/mod/forum/discuss.php?d=471300
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-85557&type=commits
- https://moodle.org/mod/forum/discuss.php?d=471299
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-87267&type=commits