CVE-2025-67856
Moodle: moodle: privilege escalation via incomplete role checks in badge awarding
5.4
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.
How to fix CVE-2025-67856
To remediate CVE-2025-67856, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.22 or later
- —upgrade to 4.1.22 or later
Is CVE-2025-67856 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
- from 0, < 4.1.22
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |