CVE-2025-67848

Source
https://cve.org/CVERecord?id=CVE-2025-67848
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67848.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-67848
Aliases
Downstream
Published
2026-02-03T10:51:58.208Z
Modified
2026-07-08T08:12:20.609986997Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access.
Details

A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67848.json",
    "cna_assigner": "fedora",
    "cwe_ids": [
        "CWE-280"
    ]
}
References

Affected packages

Git / github.com/moodle/moodle

Affected ranges

Type
GIT
Repo
https://github.com/moodle/moodle
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.1.22"
        },
        {
            "introduced": "4.4.0"
        },
        {
            "fixed": "4.4.12"
        },
        {
            "introduced": "4.5.0"
        },
        {
            "fixed": "4.5.8"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.4"
        },
        {
            "introduced": "5.1.0"
        },
        {
            "fixed": "5.1.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

5.*
5.1.0-NA
v4.*
v4.1.0
v4.1.1
v4.1.10
v4.1.11
v4.1.12
v4.1.13
v4.1.14
v4.1.15
v4.1.16
v4.1.17
v4.1.18
v4.1.19
v4.1.2
v4.1.20
v4.1.21
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.4.0
v4.4.1
v4.4.10
v4.4.11
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.5.7
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67848.json"