Bug 2373835 (CVE-2025-49515)

Summary: CVE-2025-49515 moodle: Course visibility not honoured consistently
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in Moodle. Insufficient state and capability checks allowed some details of hidden courses, including course names, descriptions, and teachers, to be accessible to users without proper permission.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2373858, 2373861    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-19 08:38:23 UTC 
Insufficient state and capability checks resulted in some details of hidden courses (such as course name, description and teachers) being available to users who did not have permission to access them.

Versions affected: 5.0, 4.5 to 4.5.4, 4.4 to 4.4.8, 4.1 to 4.1.18 and earlier unsupported versions

Versions fixed:	5.0.1, 4.5.5, 4.4.9 and 4.1.19

https://moodle.org/mod/forum/discuss.php?d=468504
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84518