CVE-2025-3645: 
PHP vulnerability analysis and mitigation

CVE-2025-3645 is a security vulnerability discovered in Moodle, disclosed on April 25, 2025. The vulnerability stems from insufficient capability checks in a messaging web service that allowed unauthorized users to view other users' names and online statuses. This vulnerability affects Moodle versions 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17, and earlier unsupported versions (NVD, Wiz).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. It is classified as CWE-863 (Incorrect Authorization). The issue specifically relates to insufficient capability checks in the messaging web service component of Moodle, which failed to properly validate user access permissions (NVD, Wiz).

The vulnerability allows authenticated users to bypass intended access restrictions and view other users' names and online status information. This represents a privacy concern as it exposes user information to unauthorized individuals within the system (Bugzilla).

The vulnerability has been fixed in Moodle versions 4.5.4, 4.4.8, 4.3.12, and 4.1.18. Users are advised to upgrade to these patched versions to address the security issue (Bugzilla).