Bug 2359735 (CVE-2025-3641)

Summary:	CVE-2025-3641 moodle: Authenticated remote code execution risk in the Moodle LMS Dropbox repository
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2361660, 2361661, 2361662
Bug Blocks:
Deadline:	2025-04-22

Description OSIDB Bzimport 2025-04-15 12:22:31 UTC

A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default this was only available to teachers and managers, on sites with the Dropbox repository enabled.

Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions.

Versions fixed:    4.5.4, 4.4.8, 4.3.12 and 4.1.18