4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62394

GHSA ID

GHSA-8fcv-4qp9-pg32

EPSS Score

0.05501%

CWE

CWE-863

Published

10/23/2025

Updated

10/24/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62394

CVE-2025-62394: Moodle sends quiz-related messages to inactive/suspended users

Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62394

GHSA ID

GHSA-8fcv-4qp9-pg32

EPSS Score

0.05501%

CWE

CWE-863

Published

10/23/2025

Updated

10/24/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moodle/moodle	composer	>= 5.0.0-beta, < 5.0.3	5.0.3
moodle/moodle	composer	>= 4.5.0-beta, < 4.5.7	4.5.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided commit 022bfbfb564d8f3866a43d26eed215213bbdd28a clearly indicates that the vulnerability is located in the get_users_within_quiz function within the mod_quiz\notification_helper class. The vulnerability description states that Moodle was sending quiz-related messages to inactive or suspended users. The patch addresses this by adding the onlyactive: true parameter to the get_enrolled_users call inside get_users_within_quiz. This change ensures that only users with an active enrolment in the course are returned, thus preventing the information leak. The test file changes in the same commit further confirm this by adding assertions to ensure suspended users are not included in the function's output. Therefore, the mod_quiz\notification_helper::get_users_within_quiz function is the exact location of the vulnerability.

Vulnerable functions

mod_quiz\notification_helper::get_users_within_quiz

mod/quiz/classes/notification_helper.php

The function `get_users_within_quiz` is vulnerable because it retrieves a list of users for a quiz without checking if their enrolment is active. This is because the call to `get_enrolled_users` was missing the `onlyactive: true` parameter. This allowed suspended or inactive users to receive quiz notifications, leading to an information leak. The patch adds this parameter to filter out inactive users.

WAF Protection Rules

WAF Rule

Moo*l* **il** to v*ri*y *nrolm*nt st*tus *orr**tly w**n s*n*in* quiz noti*i**tions. *s * r*sult, susp*n*** or in**tiv* us*rs mi**t r***iv* quiz-r*l*t** m*ss***s, l**kin* limit** *ours* in*orm*tion.

Reasoning

T** *n*lysis o* t** provi*** *ommit `****************************************` *l**rly in*i**t*s t**t t** vuln*r**ility is lo**t** in t** `**t_us*rs_wit*in_quiz` *un*tion wit*in t** `mo*_quiz\noti*i**tion_**lp*r` *l*ss. T** vuln*r**ility **s*ription

4.3

Basic Information

Concerned about an active attack path?

CVE-2025-62394: Moodle sends quiz-related messages to inactive/suspended users

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI