Multiple vulnerabilities in Moodle Innovación y Cualificación plugins

Posted date 11/03/2025
Identificador
INCIBE-2025-0131
Importance
5 - Critical
Affected Resources

The following Moodle plugins are affected:

  • IcProgreso plugin ;
  • local administración ajax.php plugin .
Description

INCIBE has coordinated the publication of 4 vulnerabilities: 2 of critical severity and 2 of medium severity, affecting the Moodle administration and IcProgreso of Innovación y Cualificación plugins. The vulnerabilities have been discovered by Julen Garrido Estevez.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-2199 and CVE-2025-2200: CVSS v4.0: 9.3 | CVSS /AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • CVE-2025-2201 and CVE-2025-2202: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-863
Solution

Innovación y Cualificación has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024.

Detail
  • CVE-2025-2199: SQL injection vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in ‘searchActionsToUpdate’, ‘searchSpecialitiesPending’, ‘searchSpecialitiesLinked’, ‘searchUsersToUpdateProfile’, ‘training_action_data’, ‘showContinuingTrainingCourses’ and ‘showUsersToEdit’ in /local/administration/ajax.php.
  • CVE-2025-2200: SQL injection vulnerability in the IcProgress Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query on the parameters user, id, idGroup, start_date and end_date in the endpoint /report/icprogreso/generar_blocks.php.
  • CVE-2025-2201: broken access control vulnerability in the IcProgress Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain sensitive information about other users such as public IP addresses, messages with other users and more.
  • CVE-2025-2202: broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email.