CVE-2025-62401: Moodle has a time restriction bypass

The vulnerability in Moodle's timed assignment feature allowed students to bypass the time restriction by having the timer start automatically upon visiting the submission page, rather than when they explicitly chose to begin. The analysis of the provided patch (commit 78a3fe6c618676dfc53ea538abbfe35e60674eeb) reveals the root cause and the affected functions.

The core of the vulnerability lies in the get_user_submission and get_group_submission functions within public/mod/assign/locallib.php. These functions would check if an assignment had a time limit and if the timer had started. If not, they would immediately set the timestarted field upon page load when the action was 'editsubmission'. This allowed a student to trigger the timer simply by loading the page, then leave and come back later to complete the assignment, exceeding the intended time limit.

The patch rectifies this by introducing an explicit confirmation step. A new begin=1 URL parameter is required to start the timer. The get_user_submission and get_group_submission functions were updated to only start the timer if this parameter is present.

Consequently, the mod_assign\output\user_submission_actionmenu::export_for_template function was modified to add this begin=1 parameter to the URL of the 'Begin assignment' button. Furthermore, the assign::view_edit_submission_page function was updated to prevent direct rendering of the submission form for a timed assignment that has not been started, instead showing a confirmation dialog.

Therefore, the identified functions are directly involved in the vulnerable process of automatically starting the assignment timer. During an exploit, these functions would be present in the stack trace as the student navigates to the submission page of a timed assignment.