CVE-2025-62400: 
PHP vulnerability analysis and mitigation

CVE-2025-62400 is a security vulnerability discovered in Moodle that exposes the names of hidden groups to users who have permission to create calendar events but lack the permissions to view hidden groups. The vulnerability was disclosed on October 23, 2025, affecting multiple versions of Moodle including versions 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20, and earlier unsupported versions (NVD, Bugzilla).

The vulnerability stems from a missing capability check in the calendar event creation flow. The issue specifically involves the functions core_calendar_external::submit_create_update_form and calendar_output_fragment_event_form, which incorrectly used groups_get_course_data() to fetch all groups within a course without properly checking user permissions. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, and is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (Miggo).

The vulnerability could result in the disclosure of private or restricted group information within Moodle courses. Users with calendar event creation permissions could potentially view the names of hidden groups that were intended to remain private, potentially compromising the confidentiality of course organization and structure (NVD).

The vulnerability has been patched in Moodle versions 5.0.3, 4.5.7, 4.4.11, and 4.1.21. The fix involves replacing the insecure function call to groups_get_course_data() with groups_get_all_groups(), which properly respects group visibility settings and user capabilities (Bugzilla).