4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-3645

CVE-2025-3645: Moodle has an IDOR in messaging web service which allows access to some user details

A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-3645

CVE-2025-3645:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moodle/moodle	composer	< 4.1.18	4.1.18
moodle/moodle	composer	>= 4.3.0-beta, < 4.3.12	4.3.12
moodle/moodle	composer	>= 4.4.0-beta, < 4.4.8	4.4.8
moodle/moodle	composer	>= 4.5.0-beta, < 4.5.4	4.5.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description points to an IDOR in a messaging web service due to insufficient capability checks. The provided commits all modify the message/externallib.php file, specifically the get_member_info static method within the core_message_external class. Commit a8179842b450659c288f284e06361a4fbab8742a is the primary security patch. It introduces a filtering mechanism for the userids parameter by checking user_can_view_profile for each requested user. Before this change, the userids were passed directly to \core_message\helper::get_member_info without adequate permission checks, leading to the IDOR. The subsequent commits (2fd810c8981f9b10087467a3b8fce779b157200f and bb65effe41524d8373c1dc499c3323ac469ea558) refine this logic (e.g., by checking for existing contacts or adding early exits for empty arrays), but the core vulnerability was addressed by the initial filtering introduced in a8179842b450659c288f284e06361a4fbab8742a. Therefore, core_message_external::get_member_info is the function that was processing potentially malicious input (the userids parameter) without proper authorization checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-3645: Moodle has an IDOR in messaging web service which allows access to some user details

CVE-2025-3645:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-3645: Moodle has an IDOR in messaging web service which allows access to some user details

4.3

4.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI