CVE-2025-3644 - Vulnerability Details - OpenCVE

A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2025-3644
https://bugzilla.redhat.com/show_bug.cgi?id=2359745
https://moodle.org/mod/forum/discuss.php?d=467605

History

Tue, 24 Jun 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Moodle Moodle moodle
CPEs		cpe:2.3:a:moodle:moodle::::::::
Vendors & Products		Moodle Moodle moodle

Fri, 25 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 25 Apr 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
Title		Moodle: ajax section delete does not respect course_can_delete_section()
Weaknesses		CWE-863
References		https://access.redhat.com/security/cve/CVE-2025-3644 https://bugzilla.redhat.com/show_bug.cgi?id=2359745 https://moodle.org/mod/forum/discuss.php?d=467605
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2025-04-25T14:43:12.816Z

Updated: 2025-04-28T16:31:20.709Z

Reserved: 2025-04-15T12:53:20.080Z

Link: CVE-2025-3644

Vulnrichment

Updated: 2025-04-25T15:42:53.231Z

NVD

Status : Analyzed

Published: 2025-04-25T15:15:38.280

Modified: 2025-06-24T15:59:15.037

Link: CVE-2025-3644

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3644", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2025-04-15T12:53:20.080Z", "datePublished": "2025-04-25T14:43:12.816Z", "dateUpdated": "2025-04-28T16:31:20.709Z"}, "containers": {"cna": {"title": "Moodle: ajax section delete does not respect course_can_delete_section()", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify."}], "affected": [{"versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.4", "versionType": "semver"}, {"status": "affected", "version": "4.4.0", "lessThan": "4.4.8", "versionType": "semver"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.12", "versionType": "semver"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.18", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-3644", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359745", "name": "RHBZ#2359745", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=467605"}], "datePublic": "2025-04-22T12:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-863: Incorrect Authorization", "timeline": [{"lang": "en", "time": "2025-04-15T12:53:42.862000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-04-22T12:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank James E. Calder for reporting this issue."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2025-04-28T16:31:20.709Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T15:42:51.876613Z", "id": "CVE-2025-3644", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T15:55:21.924Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3644", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-25T15:42:51.876613Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T15:42:53.231Z"}}], "cna": {"title": "Moodle: ajax section delete does not respect course_can_delete_section()", "credits": [{"lang": "en", "value": "Red Hat would like to thank James E. Calder for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.4", "versionType": "semver"}, {"status": "affected", "version": "4.4.0", "lessThan": "4.4.8", "versionType": "semver"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.12", "versionType": "semver"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.18", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-15T12:53:42.862000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-04-22T12:00:00+00:00", "value": "Made public."}], "datePublic": "2025-04-22T12:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-3644", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359745", "name": "RHBZ#2359745", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=467605"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "Incorrect Authorization"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2025-04-28T16:31:20.709Z"}, "x_redhatCweChain": "CWE-863: Incorrect Authorization"}}, "cveMetadata": {"cveId": "CVE-2025-3644", "state": "PUBLISHED", "dateUpdated": "2025-04-28T16:31:20.709Z", "dateReserved": "2025-04-15T12:53:20.080Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2025-04-25T14:43:12.816Z", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "245F0D61-A209-4129-AEA5-C8E1600F5202", "versionEndExcluding": "4.1.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF438B80-5736-46ED-897E-726B563F8E0A", "versionEndExcluding": "4.3.12", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "E758F51B-ADBF-406E-92A8-98090BE83C2B", "versionEndExcluding": "4.4.8", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "F12B5C6F-A83C-488C-9C26-3C9A61F93618", "versionEndExcluding": "4.5.4", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify."}, {"lang": "es", "value": "Se detect\u00f3 una falla en Moodle. Se requirieron comprobaciones adicionales para evitar que los usuarios eliminaran secciones del curso que no ten\u00edan permiso para modificar."}], "id": "CVE-2025-3644", "lastModified": "2025-06-24T15:59:15.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "patrick@puiterwijk.org", "type": "Secondary"}]}, "published": "2025-04-25T15:15:38.280", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2025-3644"}, {"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359745"}, {"source": "patrick@puiterwijk.org", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=467605"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}]}