CVE-2025-67857 | THREATINT

Description

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.

PUBLISHED Reserved 2025-12-12 | Published 2026-02-03 | Updated 2026-02-03 | Assigner fedora

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Problem types

Insertion of Sensitive Information Into Sent Data

Product status

Default status

unaffected

4.1.0 (semver) before 4.1.22

affected

4.4.0 (semver) before 4.4.12

affected

4.5.0 (semver) before 4.5.8

affected

5.0.0 (semver) before 5.0.4

affected

5.1.0 (semver) before 5.1.1

affected

Timeline

2025-12-19:	Reported to Red Hat.
2025-12-15:	Made public.

Credits

Red Hat would like to thank Mihail Geshoski for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-67857 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2423868 (RHBZ#2423868) issue-tracking

moodle.org/mod/forum/discuss.php?d=471307

cve.org (CVE-2025-67857)

nvd.nist.gov (CVE-2025-67857)

Download JSON

help @ threatint.eu