Access Control Vulnerability in Moodle by Moodle HQ
CVE-2025-3640

4.3MEDIUM

Key Information:

Vendor: Moodle
Status
Vendor: CVE Published:; 25 April 2025

What is CVE-2025-3640?

A vulnerability has been identified in the Moodle platform where inadequate capability checks allow enrolled users to access unauthorized information. This includes sensitive details such as the full name and profile image URLs of other users within the course, potentially compromising user privacy and security. It is crucial for administrators and users to remain vigilant and apply necessary security updates to prevent data breaches.

References

https://access.redhat.com/security/cve/CVE-2025-3640

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2359734

issue-trackingx_refsource_REDHAT

https://moodle.org/mod/forum/discuss.php?d=467601

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Red Hat would like to thank Khikhi for reporting this issue.