CVE-2025-3642 | THREATINT

Description

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.

PUBLISHED Reserved 2025-04-15 | Published 2025-04-25 | Updated 2025-04-28 | Assigner fedora

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Control of Generation of Code ('Code Injection')

Product status

Default status

unaffected

4.5.0 (semver) before 4.5.4

affected

4.4.0 (semver) before 4.4.8

affected

4.3.0 (semver) before 4.3.12

affected

4.1.0 (semver) before 4.1.18

affected

Timeline

2025-04-15:	Reported to Red Hat.
2025-04-22:	Made public.

Credits

Red Hat would like to thank Vincent Schneider for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-3642 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2359738 (RHBZ#2359738) issue-tracking

moodle.org/mod/forum/discuss.php?d=467603

cve.org (CVE-2025-3642)

nvd.nist.gov (CVE-2025-3642)

Download JSON