Vulnerability-Lookup

WID-SEC-W-2025-1353

Vulnerability from csaf_certbund - Published: 2025-06-17 22:00 - Updated: 2025-06-19 22:00

Summary

Moodle: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Moodle ist ein Software-Paket, um internetbasierte Kurse zu entwickeln und durchzuführen. Es ist ein globales Softwareentwicklungsprojekt, das einen konstruktivistischen Lehr- und Lernansatz unterstützt.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Informationen offenzulegen, Sicherheitsmechanismen zu umgehen und um nicht näher spezifizierte Auswirkungen zu erzielen

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2025-46337

CVE-2025-49512

CVE-2025-49513

CVE-2025-49514

CVE-2025-49515

CVE-2025-49516

CVE-2025-49517

CVE-2025-49518

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://moodle.org/mod/forum/discuss.php?d=468500	external
	https://moodle.org/mod/forum/discuss.php?d=468501	external
	https://moodle.org/mod/forum/discuss.php?d=468502	external
	https://moodle.org/mod/forum/discuss.php?d=468503	external
	https://moodle.org/mod/forum/discuss.php?d=468504	external
	https://moodle.org/mod/forum/discuss.php?d=468505	external
	https://moodle.org/mod/forum/discuss.php?d=468506	external
	https://moodle.org/mod/forum/discuss.php?d=468507	external
	https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
	https://bodhi.fedoraproject.org/updates/FEDORA-20…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Moodle ist ein Software-Paket, um internetbasierte Kurse zu entwickeln und durchzuf\u00fchren. Es ist ein globales Softwareentwicklungsprojekt, das einen konstruktivistischen Lehr- und Lernansatz unterst\u00fctzt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren, Informationen offenzulegen, Sicherheitsmechanismen zu umgehen und um nicht n\u00e4her spezifizierte Auswirkungen zu erzielen",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1353 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1353.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1353 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1353"
      },
      {
        "category": "external",
        "summary": "Moodle Security Advisory MSA-25-0029 vom 2025-06-17",
        "url": "https://moodle.org/mod/forum/discuss.php?d=468500"
      },
      {
        "category": "external",
        "summary": "Moodle Security Advisory MSA-25-0030 vom 2025-06-17",
        "url": "https://moodle.org/mod/forum/discuss.php?d=468501"
      },
      {
        "category": "external",
        "summary": "Moodle Security Advisory MSA-25-0031 vom 2025-06-17",
        "url": "https://moodle.org/mod/forum/discuss.php?d=468502"
      },
      {
        "category": "external",
        "summary": "Moodle Security Advisory MSA-25-0032 vom 2025-06-17",
        "url": "https://moodle.org/mod/forum/discuss.php?d=468503"
      },
      {
        "category": "external",
        "summary": "Moodle Security Advisory MSA-25-0033 vom 2025-06-17",
        "url": "https://moodle.org/mod/forum/discuss.php?d=468504"
      },
      {
        "category": "external",
        "summary": "Moodle Security Advisory MSA-25-0034 vom 2025-06-17",
        "url": "https://moodle.org/mod/forum/discuss.php?d=468505"
      },
      {
        "category": "external",
        "summary": "Moodle Security Advisory MSA-25-0035 vom 2025-06-17",
        "url": "https://moodle.org/mod/forum/discuss.php?d=468506"
      },
      {
        "category": "external",
        "summary": "Moodle Security Advisory MSA-25-0036 vom 2025-06-17",
        "url": "https://moodle.org/mod/forum/discuss.php?d=468507"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2025-622BED7E7A vom 2025-06-19",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-622bed7e7a"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2025-83AB16425F vom 2025-06-19",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-83ab16425f"
      }
    ],
    "source_lang": "en-US",
    "title": "Moodle: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-19T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-20T07:44:33.042+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-1353",
      "initial_release_date": "2025-06-17T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-06-17T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-06-19T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Fedora aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.0.1",
                "product": {
                  "name": "Open Source Moodle \u003c5.0.1",
                  "product_id": "T044715"
                }
              },
              {
                "category": "product_version",
                "name": "5.0.1",
                "product": {
                  "name": "Open Source Moodle 5.0.1",
                  "product_id": "T044715-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:5.0.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.5.5",
                "product": {
                  "name": "Open Source Moodle \u003c4.5.5",
                  "product_id": "T044717"
                }
              },
              {
                "category": "product_version",
                "name": "4.5.5",
                "product": {
                  "name": "Open Source Moodle 4.5.5",
                  "product_id": "T044717-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.5.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.4.9",
                "product": {
                  "name": "Open Source Moodle \u003c4.4.9",
                  "product_id": "T044718"
                }
              },
              {
                "category": "product_version",
                "name": "4.4.9",
                "product": {
                  "name": "Open Source Moodle 4.4.9",
                  "product_id": "T044718-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.4.9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.1.19",
                "product": {
                  "name": "Open Source Moodle \u003c4.1.19",
                  "product_id": "T044719"
                }
              },
              {
                "category": "product_version",
                "name": "4.1.19",
                "product": {
                  "name": "Open Source Moodle 4.1.19",
                  "product_id": "T044719-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.1.19"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Moodle"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-46337",
      "product_status": {
        "known_affected": [
          "T044715",
          "T044717",
          "T044719",
          "T044718",
          "74185"
        ]
      },
      "release_date": "2025-06-17T22:00:00.000+00:00",
      "title": "CVE-2025-46337"
    },
    {
      "cve": "CVE-2025-49512",
      "product_status": {
        "known_affected": [
          "T044715",
          "T044717",
          "T044719",
          "T044718",
          "74185"
        ]
      },
      "release_date": "2025-06-17T22:00:00.000+00:00",
      "title": "CVE-2025-49512"
    },
    {
      "cve": "CVE-2025-49513",
      "product_status": {
        "known_affected": [
          "T044715",
          "T044717",
          "T044719",
          "T044718",
          "74185"
        ]
      },
      "release_date": "2025-06-17T22:00:00.000+00:00",
      "title": "CVE-2025-49513"
    },
    {
      "cve": "CVE-2025-49514",
      "product_status": {
        "known_affected": [
          "T044715",
          "T044717",
          "T044719",
          "T044718",
          "74185"
        ]
      },
      "release_date": "2025-06-17T22:00:00.000+00:00",
      "title": "CVE-2025-49514"
    },
    {
      "cve": "CVE-2025-49515",
      "product_status": {
        "known_affected": [
          "T044715",
          "T044717",
          "T044719",
          "T044718",
          "74185"
        ]
      },
      "release_date": "2025-06-17T22:00:00.000+00:00",
      "title": "CVE-2025-49515"
    },
    {
      "cve": "CVE-2025-49516",
      "product_status": {
        "known_affected": [
          "T044715",
          "T044717",
          "T044719",
          "T044718",
          "74185"
        ]
      },
      "release_date": "2025-06-17T22:00:00.000+00:00",
      "title": "CVE-2025-49516"
    },
    {
      "cve": "CVE-2025-49517",
      "product_status": {
        "known_affected": [
          "T044715",
          "T044717",
          "T044719",
          "T044718",
          "74185"
        ]
      },
      "release_date": "2025-06-17T22:00:00.000+00:00",
      "title": "CVE-2025-49517"
    },
    {
      "cve": "CVE-2025-49518",
      "product_status": {
        "known_affected": [
          "T044715",
          "T044717",
          "T044719",
          "T044718",
          "74185"
        ]
      },
      "release_date": "2025-06-17T22:00:00.000+00:00",
      "title": "CVE-2025-49518"
    }
  ]
}

CVE-2025-46337 (GCVE-0-2025-46337)

Vulnerability from cvelistv5 – Published: 2025-05-01 17:20 – Updated: 2025-05-26 18:03

Title

SQL injection in ADOdb PostgreSQL driver pg_insert_id() method

Summary

ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ADOdb/ADOdb/security/advisorie…	x_refsource_CONFIRM
	https://github.com/ADOdb/ADOdb/issues/1070	x_refsource_MISC
	https://github.com/ADOdb/ADOdb/commit/11107d6d6e5…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ADOdb	ADOdb	Affected: < 5.22.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46337",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-02T17:57:27.460605Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-02T17:57:58.870Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-26T18:03:45.346Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://xaliom.blogspot.com/2025/05/from-sast-to-cve-2025-46337.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00029.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ADOdb",
          "vendor": "ADOdb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.22.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-01T17:20:10.658Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ADOdb/ADOdb/security/advisories/GHSA-8x27-jwjr-8545",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ADOdb/ADOdb/security/advisories/GHSA-8x27-jwjr-8545"
        },
        {
          "name": "https://github.com/ADOdb/ADOdb/issues/1070",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ADOdb/ADOdb/issues/1070"
        },
        {
          "name": "https://github.com/ADOdb/ADOdb/commit/11107d6d6e5160b62e05dff8a3a2678cf0e3a426",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ADOdb/ADOdb/commit/11107d6d6e5160b62e05dff8a3a2678cf0e3a426"
        }
      ],
      "source": {
        "advisory": "GHSA-8x27-jwjr-8545",
        "discovery": "UNKNOWN"
      },
      "title": "SQL injection in ADOdb PostgreSQL driver pg_insert_id() method"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46337",
    "datePublished": "2025-05-01T17:20:10.658Z",
    "dateReserved": "2025-04-22T22:41:54.912Z",
    "dateUpdated": "2025-05-26T18:03:45.346Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-1353

CVE-2025-46337 (GCVE-0-2025-46337)

Tags

Sightings

Nomenclature