CVE-2025-67857
📋 TL;DR
This vulnerability in Moodle exposes user identifiers in URLs during anonymous assignment submissions, compromising intended anonymity. Attackers can view internal user IDs, leading to information disclosure. All Moodle instances with anonymous assignment features are affected.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could deanonymize users, correlate anonymous submissions with real identities, and potentially combine with other vulnerabilities for targeted attacks.
Likely Case
Unauthorized viewers can see which users submitted anonymous assignments, compromising privacy expectations in educational settings.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure without authentication bypass.
🎯 Exploit Status
Exploitation requires access to view assignment submission URLs, typically requiring some level of course access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Moodle security advisories for specific fixed version
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=471307
Restart Required: No
Instructions:
1. Check Moodle security advisory for patch version. 2. Update Moodle to patched version. 3. Verify anonymous assignment functionality works correctly.
🔧 Temporary Workarounds
Disable Anonymous Submissions
allTemporarily disable anonymous assignment submissions until patched
Navigate to Moodle assignment settings and disable 'Anonymous submissions' option
Restrict Assignment Access
allLimit who can view assignment submissions to reduce exposure
Configure course/assignment permissions to restrict viewing to essential personnel only
🧯 If You Can't Patch
- Disable anonymous assignment submission feature entirely
- Implement web application firewall rules to monitor for user ID exposure in URLs
🔍 How to Verify
Check if Vulnerable:
Test anonymous assignment submission and check if user IDs appear in URLs or response dataCheck Version:
Check Moodle version in Site administration > Notifications or via moodle_version tableVerify Fix Applied:
After patching, verify anonymous submissions no longer expose user identifiers in URLs📡 Detection & Monitoring
Log Indicators:
- URLs containing user IDs in assignment submission contexts
- Unusual access patterns to anonymous assignment pages
Network Indicators:
- HTTP requests to assignment URLs containing numeric user identifiers
SIEM Query:
web.url:*assign* AND web.url:*userid=* OR web.url:*id=*[0-9]+