CVE-2025-3634 – moodle/moodle

Package

Manager: composer
Name: moodle/moodle
Vulnerable Version: >=4.3.0-beta <4.3.12 || >=4.4.0-beta <4.4.8 || >=4.5.0-beta <4.5.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00045 pctl0.13

Details

Moodle self enrollment available before completing second factor with MFA enabled A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.

Metadata

Created: 2025-04-25T15:31:22Z
Modified: 2025-04-25T16:30:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhc7-xhc2-7p7w/GHSA-qhc7-xhc2-7p7w.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-qhc7-xhc2-7p7w
Finding: F006
Auto approve: 1