Home

Description

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability.

PUBLISHED Reserved 2025-04-02 | Published 2025-04-25 | Updated 2025-04-25 | Assigner fedora




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

4.5.0 (semver)
affected

Timeline

2025-04-02:Reported to Red Hat.
2025-04-02:Made public.

Credits

Red Hat would like to thank Lucas Alonso for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-32044 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2356829 (RHBZ#2356829) issue-tracking

cve.org (CVE-2025-32044)

nvd.nist.gov (CVE-2025-32044)

Download JSON