Moodle: course access permissions not properly checked in course_output_fragment_course_overview
Description
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle's course overview output function fails to enforce user access permissions, allowing unauthorized users to view limited course details.
Vulnerability
Overview
CVE-2025-62393 describes an access control flaw in Moodle's course overview output function. The root cause is that the function course_output_fragment_course_overview (as seen in the commit [4]) did not properly check user permissions before returning course information. Specifically, the call to can_access_course($course) was performed without passing the $user parameter and without throwing an exception when access was denied, allowing the function to continue execution even for unauthorized users.
Exploitation
An attacker can exploit this vulnerability by crafting a request to the course overview fragment endpoint with a course ID they should not have access to. No authentication is required beyond a valid session, but the attacker must be able to trigger the fragment callback. The vulnerability is present in the course_output_fragment_course_overview function, which is used to render course overviews in various parts of the Moodle interface [1][2].
Impact
Successful exploitation allows an unauthorized user to view limited course details, such as the course name, summary, and possibly other metadata exposed by the overview function. This could lead to the official description, this exposure is limited to 'limited course details' [2]. The vulnerability does not grant full course access or the ability to modify data, but it does break the intended access control boundaries.
Mitigation
The fix has been implemented in Moodle's commit fc69b4744ba0132cc3093fd81940be15bc293835 [4]. The patch adds a proper access check using can_access_course($course, null, '', true) and throws a require_login_exception if the user does not have access [4]. Administrators are advised to update their Moodle installations to include this commit or the corresponding release version that contains the fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.3 | 5.0.3 |
Affected products
1Patches
1fc69b4744ba0MDL-86426 course: access checks in course overview fragment callback.
1 file changed · +6 −1
public/course/lib.php+6 −1 modified@@ -4422,6 +4422,8 @@ function course_output_fragment_new_base_form($args) { * * @param array $args the fragment arguments * @return string the course overview fragment + * + * @throws require_login_exception */ function course_output_fragment_course_overview($args) { global $PAGE; @@ -4431,7 +4433,10 @@ function course_output_fragment_course_overview($args) { $modname = $args['modname']; $course = get_course($args['courseid']); $context = context_course::instance($course->id, MUST_EXIST); - can_access_course($course); + + if (!can_access_course($course, null, '', true)) { + throw new require_login_exception('Course is not available'); + } // Some plugins may have a list view event. $eventclassname = 'mod_' . $modname . '\\event\\course_module_instance_list_viewed';
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-rjcm-7v2p-9265ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62393ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-62393ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/moodle/moodle/commit/fc69b4744ba0132cc3093fd81940be15bc293835ghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.