Insertion of Sensitive Information Into Sent Data

CVE-2025-67857

Medium

5.3/10

Summary

A flaw was found in moodle versions prior to 4.1.22, 4.2.0-beta prior to 4.4.12, 4.5.0-beta prior to 4.5.8, 5.0.0-beta prior to 5.0.4, and 5.1.0-beta prior to 5.1.1. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-201 - Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References

Advisory
Advisory
Issue

Advisory Timeline

Published Feb 03, 2026

Insertion of Sensitive Information Into Sent Data

CVE-2025-67857

Summary

CWE-201 - Insertion of Sensitive Information Into Sent Data

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS