Bug 2404427 (CVE-2025-62394)

Summary: CVE-2025-62394 moodle: Quiz notifications sent to suspended participants
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2404462, 2404461    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-16 14:18:45 UTC 
Due to insufficient enrolment validation, quiz notifications could be sent to users with inactive or suspended enrolments. This information disclosure occurs automatically through the notification system and can reveal limited details about ongoing assessments.

Versions affected: 5.0 to 5.0.2 and 4.5 to 4.5.6
Versions fixed: 5.0.3 and 4.5.7