Moderate severityOSV Advisory· Published Apr 25, 2025· Updated Apr 28, 2025

Moodle: idor when accessing the cohorts report

CVE-2025-3647

Description

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moodle fails to properly validate cohort data access, allowing users to view unauthorized cohort information.

Root

Cause A flaw was discovered in Moodle's cohort system report. The vulnerability stems from insufficient validation of the contextid and showall parameters, which allowed users to potentially retrieve cohort data without proper authorization checks [1][3]. The affected methods, particularly can_view() and initialise(), accepted user-supplied parameters to determine which context to query, bypassing the intended capability checks [3].

Exploitation

An attacker could exploit this by crafting requests with manipulated contextid or showall parameters in the cohort system report. The original code used these parameters to directly set the context for SQL queries, without verifying that the user had the necessary capabilities (moodle/cohort:manage or moodle/cohort:view) in that specific context [3]. The attack requires network access to a Moodle instance, but no special authentication beyond a valid user account [2].

Impact

A successful exploit could allow an unauthorized user to view cohort data from other contexts, such as system-wide cohorts or cohorts from categories they should not access. This could lead to information disclosure of sensitive grouping data [1][2].

Mitigation

The fix, implemented in commit bd6ec0ac84, improves validation by ensuring the system report always uses the current context from the report instance rather than user-supplied parameters [3]. The showall flag is now only honored when the context is context_system, and the contextid parameter is no longer used to define the report's scope [3]. Administrators should update to a patched version of Moodle as soon as possible.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	< 4.1.18	4.1.18
moodle/moodlePackagist	>= 4.3.0-beta, < 4.3.12	4.3.12
moodle/moodlePackagist	>= 4.4.0-beta, < 4.4.8	4.4.8
moodle/moodlePackagist	>= 4.5.0-beta, < 4.5.4	4.5.4

Affected products

Moodle/MoodleOSV2 versions
v1.0.0, v1.0.1, v1.0.2, …+ 1 more
- (no CPE)range: v1.0.0, v1.0.1, v1.0.2, …
- (no CPE)
osv-coords2 versions
pkg:bitnami/moodle pkg:composer/moodle/moodle
< 4.1.18+ 1 more
- (no CPE)range: < 4.1.18
- (no CPE)range: < 4.1.18

Patches

bd6ec0ac84cf

MDL-84865 cohort: improve system report validation of parameters.

https://github.com/moodle/moodlePaul HoldenMar 13, 2025via ghsa

commit

2 files changed · +12 −21

cohort/classes/reportbuilder/local/systemreports/cohorts.php+11 −19 modified

@@ -73,11 +73,11 @@ protected function initialise(): void {
         });
 
         // Check if report needs to show a specific category.
-        $contextid = $this->get_parameter('contextid', 0, PARAM_INT);
-        $showall = $this->get_parameter('showall', true, PARAM_BOOL);
-        if (!$showall) {
+        if (!$this->get_context() instanceof context_system || !$this->get_parameter('showall', false, PARAM_BOOL)) {
             $paramcontextid = database::generate_param_name();
-            $this->add_base_condition_sql("{$entitymainalias}.contextid = :$paramcontextid", [$paramcontextid => $contextid]);
+            $this->add_base_condition_sql("{$entitymainalias}.contextid = :{$paramcontextid}", [
+                $paramcontextid => $this->get_context()->id,
+            ]);
         }
 
         // Now we can call our helper methods to add the content we want to include in the report.
@@ -95,14 +95,7 @@ protected function initialise(): void {
      * @return bool
      */
     protected function can_view(): bool {
-        $contextid = $this->get_parameter('contextid', 0, PARAM_INT);
-        if ($contextid) {
-            $context = context::instance_by_id($contextid, MUST_EXIST);
-        } else {
-            $context = context_system::instance();
-        }
-
-        return has_any_capability(['moodle/cohort:manage', 'moodle/cohort:view'], $context);
+        return has_any_capability(['moodle/cohort:manage', 'moodle/cohort:view'], $this->get_context());
     }
 
     /**
@@ -115,10 +108,8 @@ protected function add_columns(): void {
         $cohortentity = $this->get_entity('cohort');
         $entitymainalias = $cohortentity->get_table_alias('cohort');
 
-        $showall = $this->get_parameter('showall', false, PARAM_BOOL);
-
         // Category column. An extra callback is appended in order to extend the current column formatting.
-        if ($showall) {
+        if ($this->get_context() instanceof context_system && $this->get_parameter('showall', false, PARAM_BOOL)) {
             $this->add_column_from_entity('cohort:context')
                 ->add_callback(static function(string $value, stdClass $cohort): string {
                     $context = context::instance_by_id($cohort->contextid);
@@ -198,10 +189,11 @@ protected function add_filters(): void {
      */
     protected function add_actions(): void {
 
-        $contextid = $this->get_parameter('contextid', 0, PARAM_INT);
-        $showall = $this->get_parameter('showall', true, PARAM_BOOL);
-        $returnurl = (new moodle_url('/cohort/index.php',
-            ['id' => ':id', 'contextid' => $contextid, 'showall' => $showall]))->out(false);
+        $returnurl = (new moodle_url('/cohort/index.php', [
+            'id' => ':id',
+            'contextid' => $this->get_context()->id,
+            'showall' => $this->get_parameter('showall', false, PARAM_BOOL),
+        ]))->out(false);
 
         // Hide action. It will be only shown if the property 'visible' is true and user has 'moodle/cohort:manage' capabillity.
         $this->add_action((new action(

cohort/index.php+1 −2 modified

@@ -104,8 +104,7 @@
     echo $OUTPUT->render($editcontrols);
 }
 
-$reportparams = ['contextid' => $context->id, 'showall' => $showall];
-$report = system_report_factory::create(cohorts::class, $context, '', '', 0, $reportparams);
+$report = system_report_factory::create(cohorts::class, $context, '', '', 0, ['showall' => $showall]);
 
 // Check if it needs to search by name.
 if (!empty($searchquery)) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-34g7-pg9j-pxgpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-3647ghsaADVISORY
access.redhat.com/security/cve/CVE-2025-3647ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/moodle/moodle/commit/bd6ec0ac84cf0f73ab35e7e244e1f9b06929083aghsaWEB
moodle.org/mod/forum/discuss.phpghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000