CVE-2025-62394: 
PHP vulnerability analysis and mitigation

Moodle, a popular learning management system, was found to have a vulnerability (CVE-2025-62394) where the system failed to verify enrollment status correctly when sending quiz notifications. The vulnerability was discovered and published on October 23, 2025, affecting Moodle versions 5.0 to 5.0.2 and 4.5 to 4.5.6 (Miggo, Debian Tracker).

The vulnerability is located in the get_users_within_quiz function within the mod_quiz\notification_helper class. The root cause was identified as a missing 'onlyactive: true' parameter in the get_enrolled_users call inside get_users_within_quiz. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. It is classified under CWE-863 (Incorrect Authorization) (Miggo, NVD).

The vulnerability results in an information disclosure where suspended or inactive users might receive quiz-related messages, potentially leaking limited course information. The impact is considered low as it only affects the confidentiality aspect of the system, with no impact on integrity or availability (NVD, Bugzilla).

The vulnerability has been patched in Moodle versions 5.0.3 and 4.5.7. The fix involves adding the 'onlyactive: true' parameter to the get_enrolled_users call to ensure that only users with an active enrollment in the course receive quiz notifications (Miggo, Bugzilla).