CVE-2025-67853 | THREATINT

Description

A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.

PUBLISHED Reserved 2025-12-12 | Published 2026-02-03 | Updated 2026-02-03 | Assigner fedora

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Restriction of Excessive Authentication Attempts

Product status

Default status

unaffected

4.1.0 (semver) before 4.1.22

affected

4.4.0 (semver) before 4.4.12

affected

4.5.0 (semver) before 4.5.8

affected

5.0.0 (semver) before 5.0.4

affected

5.1.0 (semver) before 5.1.1

affected

Timeline

2025-12-19:	Reported to Red Hat.
2025-12-15:	Made public.

Credits

Red Hat would like to thank Petr Skoda for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-67853 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2423847 (RHBZ#2423847) issue-tracking

cve.org (CVE-2025-67853)

nvd.nist.gov (CVE-2025-67853)

Download JSON

help @ threatint.eu