Home

Description

Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

PUBLISHED Reserved 2025-10-13 | Published 2025-10-23 | Updated 2025-10-23 | Assigner fedora




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Improper Restriction of Excessive Authentication Attempts

Product status

Default status
unaffected

5.0.0 (semver) before 5.0.3
affected

4.5.0 (semver) before 4.5.7
affected

4.4.0 (semver) before 4.4.11
affected

4.1.0 (semver) before 4.1.21
affected

Timeline

2025-10-16:Reported to Red Hat.
2025-10-14:Made public.

Credits

Red Hat would like to thank Petr Skoda for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-62399 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2404432 (RHBZ#2404432) issue-tracking

cve.org (CVE-2025-62399)

nvd.nist.gov (CVE-2025-62399)

Download JSON