Bug 2359707 (CVE-2025-3634)

Summary: CVE-2025-3634 moodle: Moodle Allows Course Self-Enrolment Before Completing MFA
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2361799, 2361800    
Bug Blocks:    
Deadline: 2025-04-22   

Description OSIDB Bzimport 2025-04-15 09:56:14 UTC
On sites with Multi-Factor Authentication enabled, it was  possible to use course self enrollment after passing only the first login factor (such as passing a username/password check). The user should also have to pass a second login factor before gaining access to self enrollment.

Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11
Versions fixed:    4.5.4, 4.4.8 and 4.3.12