4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62400

GHSA ID

GHSA-422v-w6c5-vq42

EPSS Score

0.063%

CWE

CWE-200

Published

10/23/2025

Updated

10/24/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62400

CVE-2025-62400: Moodle exposed the names of hidden groups to users

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62400

GHSA ID

GHSA-422v-w6c5-vq42

EPSS Score

0.063%

CWE

CWE-200

Published

10/23/2025

Updated

10/24/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moodle/moodle	composer	>= 5.0.0-beta, < 5.0.3	5.0.3
moodle/moodle	composer	>= 4.5.0-beta, < 4.5.7	4.5.7
moodle/moodle	composer	>= 4.2.0-beta, < 4.4.11	4.4.11
moodle/moodle	composer	< 4.1.21	4.1.21

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because Moodle was using an insecure method to retrieve group information for the calendar event form. The functions core_calendar_external::submit_create_update_form and calendar_output_fragment_event_form both utilized groups_get_course_data(), which fetched all groups within a course, failing to check if the user had the necessary permissions to view them. This allowed users with calendar event creation permissions to see the names of all groups, including those that were hidden. The patch addresses this by replacing the insecure function call with groups_get_all_groups(), which correctly respects group visibility settings and user capabilities. Therefore, any user who could trigger the creation or editing of a calendar event would cause these vulnerable functions to be executed, leading to the disclosure of sensitive group information.

Vulnerable functions

core_calendar_external::submit_create_update_form

public/calendar/externallib.php

This function processes the submission of a calendar event creation or update form. Before the patch, it used `groups_get_course_data()` to fetch all groups for the course, including hidden ones. The names of these groups were then added to the form options, exposing them to users without the necessary permissions.

calendar_output_fragment_event_form

public/calendar/lib.php

This function is responsible for rendering the calendar event form. It was fetching all course groups using `groups_get_course_data()` and populating the 'groups' form option with their names. This exposed the names of hidden groups to any user with permission to create or edit a calendar event.

WAF Protection Rules

WAF Rule

Moo*l* *xpos** t** n*m*s o* *i***n *roups to us*rs w*o *** p*rmission to *r**t* **l*n**r *v*nts *ut not to vi*w *i***n *roups. T*is *oul* r*v**l priv*t* or r*stri*t** *roup in*orm*tion.

Reasoning

T** vuln*r**ility *xists ****us* Moo*l* w*s usin* *n ins**ur* m*t*o* to r*tri*v* *roup in*orm*tion *or t** **l*n**r *v*nt *orm. T** *un*tions `*or*_**l*n**r_*xt*rn*l::su*mit_*r**t*_up**t*_*orm` *n* `**l*n**r_output_*r**m*nt_*v*nt_*orm` *ot* utiliz**

4.3

Basic Information

Concerned about an active attack path?

CVE-2025-62400: Moodle exposed the names of hidden groups to users

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI