Moodle 4.3.12

Unsupported Moodle Version

This version of Moodle is no longer supported and will not receive fixes for security risks.
You are encouraged to upgrade to a supported version of Moodle.

Release date: 14 April 2025

Here is the full list of fixed issues in 4.3.12.

General fixes and improvements

• MDL-85000 - Error "No compatible source was found for this media" when trying to play OGV files on Firefox

Security fixes

• MSA-25-0013 - Remote code execution risk via MimeTeX command (upstream)
• MSA-25-0014 - User DoS and name disclosure risks via IDOR in MFA email factor revoke action
• MSA-25-0015 - Some user data available before completing second factor with MFA enabled
• MSA-25-0017 - Self enrolment available before completing second factor with MFA enabled
• MSA-25-0018 - CSRF risk in user tours manager allows tour duplication
• MSA-25-0019 - IDOR in RSS block allows access to additional RSS feeds
• MSA-25-0020 - mod_data edit/delete pages pass CSRF token in GET parameter
• MSA-25-0021 - CSRF risk in Brickfield tool's analysis request action
• MSA-25-0022 - IDOR in web service allows users enrolled in a course to access some details of other users
• MSA-25-0023 - Authenticated remote code execution risk in the Moodle LMS Dropbox repository
• MSA-25-0024 - Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
• MSA-25-0025 - Reflected XSS risk in policy tool
• MSA-25-0026 - AJAX section delete does not respect course_can_delete_section()
• MSA-25-0027 - IDOR in messaging web service allows access to some user details
• MSA-25-0028 - IDOR when accessing the cohorts report