CVE-2025-26531 - Vulnerability Details - OpenCVE

Insufficient capability checks made it possible to disable badges a user does not have permission to access.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

No data.

References

Link	Providers
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239
https://moodle.org/mod/forum/discuss.php?d=466148

History

Thu, 07 Aug 2025 00:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Moodle Moodle moodle
CPEs		cpe:2.3:a:moodle:moodle::::::::
Vendors & Products		Moodle Moodle moodle

Tue, 25 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 24 Feb 2025 20:15:00 +0000

Type	Values Removed	Values Added
Description		Insufficient capability checks made it possible to disable badges a user does not have permission to access.
Title		IDOR in badges allows disabling of arbitrary badges
Weaknesses		CWE-863
References		http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239 https://moodle.org/mod/forum/discuss.php?d=466148
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2025-02-24T20:02:57.732Z

Updated: 2025-02-25T14:19:51.530Z

Reserved: 2025-02-12T13:29:39.337Z

Link: CVE-2025-26531

Vulnrichment

Updated: 2025-02-25T14:19:47.132Z

NVD

Status : Analyzed

Published: 2025-02-24T20:15:33.933

Modified: 2025-08-07T00:06:02.483

Link: CVE-2025-26531

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-26531", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2025-02-12T13:29:39.337Z", "datePublished": "2025-02-24T20:02:57.732Z", "dateUpdated": "2025-02-25T14:19:51.530Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2025-02-24T20:02:57.732Z"}, "title": "IDOR in badges allows disabling of arbitrary badges", "datePublic": "2025-02-18T05:40:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "affected": [{"vendor": "Moodle Project", "product": "moodle", "versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.2", "versionType": "semver"}, {"status": "affected", "version": "4.4.0", "lessThan": "4.4.6", "versionType": "semver"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.10", "versionType": "semver"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.16", "versionType": "semver"}, {"status": "unknown", "version": "0", "lessThan": "4.0.*", "versionType": "semver"}, {"status": "unknown", "version": "4.2.0", "lessThan": "4.2.*", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Insufficient capability checks made it possible to disable badges a user does not have permission to access.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Insufficient capability checks made it possible to disable badges a user does not have permission to access."}]}], "references": [{"url": "https://moodle.org/mod/forum/discuss.php?d=466148", "tags": ["vendor-advisory"]}, {"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-25T14:19:42.478063Z", "id": "CVE-2025-26531", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:19:51.530Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-26531", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-25T14:19:42.478063Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:19:47.132Z"}}], "cna": {"title": "IDOR in badges allows disabling of arbitrary badges", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Moodle Project", "product": "moodle", "versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.2", "versionType": "semver"}, {"status": "affected", "version": "4.4.0", "lessThan": "4.4.6", "versionType": "semver"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.10", "versionType": "semver"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.16", "versionType": "semver"}, {"status": "unknown", "version": "0", "lessThan": "4.0.*", "versionType": "semver"}, {"status": "unknown", "version": "4.2.0", "lessThan": "4.2.*", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2025-02-18T05:40:00.000Z", "references": [{"url": "https://moodle.org/mod/forum/discuss.php?d=466148", "tags": ["vendor-advisory"]}, {"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Insufficient capability checks made it possible to disable badges a user does not have permission to access.", "supportingMedia": [{"type": "text/html", "value": "Insufficient capability checks made it possible to disable badges a user does not have permission to access.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2025-02-24T20:02:57.732Z"}}}, "cveMetadata": {"cveId": "CVE-2025-26531", "state": "PUBLISHED", "dateUpdated": "2025-02-25T14:19:51.530Z", "dateReserved": "2025-02-12T13:29:39.337Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2025-02-24T20:02:57.732Z", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABE6D6ED-55D3-46B4-84DC-7C3684E3260E", "versionEndExcluding": "4.1.16", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DF83192-5999-4E1B-B109-A1B0F68437B2", "versionEndExcluding": "4.3.10", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "B91CC5BB-FFB9-4D09-9001-105A8B68208E", "versionEndExcluding": "4.4.6", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "830F7FD6-3257-44A2-9599-2C5C2FF2BA20", "versionEndExcluding": "4.5.2", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient capability checks made it possible to disable badges a user does not have permission to access."}, {"lang": "es", "value": " Las comprobaciones de capacidad insuficientes hicieron posible deshabilitar insignias a las que un usuario no tiene permiso de acceso."}], "id": "CVE-2025-26531", "lastModified": "2025-08-07T00:06:02.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-24T20:15:33.933", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239"}, {"source": "patrick@puiterwijk.org", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=466148"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}]}