CVE-2025-67857 - Vulnerability Details - OpenCVE

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2025-67857
https://bugzilla.redhat.com/show_bug.cgi?id=2423868
https://moodle.org/mod/forum/discuss.php?d=471307

History

Tue, 03 Feb 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.
Title		Moodle: moodle: data exposure of user identifiers in urls
Weaknesses		CWE-201
References		https://access.redhat.com/security/cve/CVE-2025-67857 https://bugzilla.redhat.com/show_bug.cgi?id=2423868 https://moodle.org/mod/forum/discuss.php?d=471307
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2026-02-03T10:52:22.459Z

Updated: 2026-02-03T10:52:22.459Z

Reserved: 2025-12-12T13:00:24.331Z

Link: CVE-2025-67857

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-03T11:15:56.090

Modified: 2026-02-03T11:15:56.090

Link: CVE-2025-67857

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67857", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2025-12-12T13:00:24.331Z", "datePublished": "2026-02-03T10:52:22.459Z", "dateUpdated": "2026-02-03T10:52:22.459Z"}, "containers": {"cna": {"title": "Moodle: moodle: data exposure of user identifiers in urls", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure."}], "affected": [{"versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.22", "versionType": "semver"}, {"status": "affected", "version": "4.4.0", "lessThan": "4.4.12", "versionType": "semver"}, {"status": "affected", "version": "4.5.0", "lessThan": "4.5.8", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.0.4", "versionType": "semver"}, {"status": "affected", "version": "5.1.0", "lessThan": "5.1.1", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://github.com/moodle/moodle/", "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-67857", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423868", "name": "RHBZ#2423868", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=471307"}], "datePublic": "2025-12-15T04:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-201: Insertion of Sensitive Information Into Sent Data", "timeline": [{"lang": "en", "time": "2025-12-19T13:40:16.882000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-12-15T04:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Mihail Geshoski for reporting this issue."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2026-02-03T10:52:22.459Z"}}}}