CVE-2025-32044
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data-including names, contact information, and hashed passwords-via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability.
Analysis
A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data-including names, contact information, and hashed passwords-via stack traces. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical Context
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data-including names, contact information, and hashed passwords-via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability. Affected products include: Moodle.
Affected Products
Moodle.
Remediation
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today