Login Sign Up

CVE-2025-3636

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Moodle allows unauthorized users to access RSS feeds due to insufficient permission checks. Any Moodle instance with RSS feeds enabled is affected, potentially exposing internal information to unauthenticated users.

💻 Affected Systems

Products:
  • Moodle
Versions: Specific versions not detailed in references; check Moodle security advisories for exact range
Operating Systems: All platforms running Moodle
Default Config Vulnerable: ⚠️ Yes
Notes: Requires RSS feeds to be enabled in Moodle configuration; many installations use RSS for announcements and updates.

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers access sensitive RSS feeds containing internal course information, announcements, or user data that should be restricted.

🟠

Likely Case

Unauthorized users view RSS feeds for courses or activities they shouldn't have access to, potentially learning about internal organizational activities.

🟢

If Mitigated

Limited exposure of non-sensitive RSS feed content with minimal impact on system integrity.

🌐 Internet-Facing: MEDIUM - RSS feeds are often publicly accessible, but impact depends on feed content sensitivity.
🏢 Internal Only: LOW - Internal users already have some access, though unauthorized access to restricted feeds remains possible.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of RSS feed URLs but no authentication; simple HTTP requests can test for vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Moodle security releases for MDL-84499 fix

Vendor Advisory: https://moodle.org/security/

Restart Required: No

Instructions:

1. Check Moodle version. 2. Apply security patch from Moodle git repository for MDL-84499. 3. Update to latest Moodle version if available. 4. No server restart needed for PHP code changes.

🔧 Temporary Workarounds

Disable RSS feeds

all

Temporarily disable RSS functionality in Moodle to prevent unauthorized access

Edit Moodle config.php: $CFG->enablerssfeeds = false;

Restrict RSS access via web server

linux

Use web server configuration to restrict access to RSS feed URLs

Apache: Use .htaccess to require authentication for /rss/ paths
Nginx: Add location blocks to restrict /rss/ access

🧯 If You Can't Patch

  • Disable RSS feeds completely in Moodle administration
  • Implement web application firewall rules to block unauthorized RSS feed requests

🔍 How to Verify

Check if Vulnerable:

Attempt to access RSS feed URLs without authentication; if accessible, system is vulnerable.

Check Version:

Check Moodle version via admin interface or config.php: $CFG->version

Verify Fix Applied:

After patching, attempt same unauthorized RSS access; should receive permission denied error.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated requests to /rss/ endpoints in web server logs
  • 403 errors for RSS feeds after fix implementation

Network Indicators:

  • HTTP GET requests to RSS feed URLs from unauthenticated IPs

SIEM Query:

web_access_logs WHERE url_path LIKE '%/rss/%' AND auth_status = 'unauthenticated'

📊 Metadata

CVE ID: CVE-2025-3636
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-639
EPSS Score: 0.07% exploit probability (22.3th percentile)
Published: April 25, 2025
Last Updated: June 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3636, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)