CVE-2025-62400: 
PHP vulnerability analysis and mitigation

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This vulnerability (CVE-2025-62400) was discovered in Moodle versions 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20 and earlier unsupported versions. The issue was fixed in versions 5.0.3, 4.5.7, 4.4.11 and 4.1.21 (Redhat Bugzilla).

The vulnerability stems from a missing capability check in the calendar event creation flow, which allowed users with event creation rights to see names of hidden or separate groups. The issue has been assigned a CVSS 3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. It is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (NVD).

This vulnerability could reveal private or restricted group information, potentially exposing group names that were meant to remain private within a course. The exposure of hidden group names could compromise the confidentiality of sensitive organizational structures or private study groups (NVD).

The recommended mitigation is to upgrade to the fixed versions: Moodle 5.0.3, 4.5.7, 4.4.11, or 4.1.21. These versions include the necessary capability checks to prevent unauthorized access to hidden group names (Redhat Bugzilla).