Software development is about to undergo a generative change. What this means is that AI (Artificial Intelligence) has…

Software development is about to undergo a generative change. What this means is that AI (Artificial Intelligence) has the potential to make developers more productive, as three systems on the market already provide this: GitHub Copilot, Anthropic’s Claude and OpenAI’s ChatGPT.

Hence, every developer, no matter if he or she specializes in AI or not, needs to understand and realize that as this technology is advancing so rapidly, any of us needs to know what it is, why it is relevant, and how to use it.

In this article, we will explain what generative AI exactly is, what functionality current systems bring, why it is going to be ubiquitous for developers, and tips on how to start working with it. Additionally, we’ll bust some of the generative AI replacement of developers altogether. Acquiring this new tool and doing so while not becoming too attached to it will give technology an advantage over other forms of technology.

****What is Generative AI?****

Machine learning systems that generate digital content, novel and of high-quality on-demand are generative AI. It includes anything from images, audio, and video to text as well as computer code and companies are increasingly turning to generative AI development services to harness their full potential.

In contrast to the analysis most AI has been focused on to date (categorizing existing data), generative models create brand-new artefacts. Advances in deep learning have enabled them to take in enormous datasets and to build an understanding to generate outputs that have never been seen before.

Prominent examples include DALL-E 3 for images, Jasper for audio, and GitHub Copilot for code. These models can take in a text prompt and return a relevant, realistic output in seconds without manual programming.

****Current Capabilities for Developers****

For programmers specifically, generative AI promises to boost their productivity. Modern systems can suggest entire code functions or applications based on English descriptions to save developers time and reduce bugs.

GitHub Copilot, for example, is a plugin for code editors like VS Code. As a developer writes a function, Copilot can suggest full implementations by analyzing existing code and understanding the English context. It can complete boilerplate code, debug issues, integrate APIs, and more.

Claude 3.7, Anthropic’s writing assistant, offers interactions that fall into the same category as writing assistants. Conversing with an AI in plain English to translate ideas into code in code. You can give an application what to do, walk through examples, ask questions to clarify, and Claude gives you runnable programs.

Such early examples show how generative AI accepts natural language rather than rigid, fixed rules as older technologies were; it is based on accepting natural language as input. With this, it is more intuitive and even accessible.

****Why Every Developer Should Care****

Even if you don’t specialize in AI, there are compelling reasons all technologists should closely monitor advancements in generative models:

It will become ubiquitous whether you like it or not

There is too much momentum and progress for generative AI not to infiltrate software workflows. OpenAI alone recently received nearly $750 million from Microsoft, plus more from other tech giants using its systems. With so much investment, expect rapid improvements.

It will make you more productive

Studies on Copilot show it can boost developer velocity by at least 30% once accustomed to the workflow. You don’t want competitors leveraging generative AI to build faster while you code manually.

It reduces simple but time-consuming tasks

No developer enjoys manually writing boilerplate code, documentation, tests, etc. But these tasks still take up a lot of time. Generative AI can autogenerate these routine but necessary functions to focus human efforts on complex problem-solving.

It handles legacy systems, so you don’t have to

Generative models are great for working with legacy systems. They integrate easily with outdated codebases, protocols and architectures that human engineers don’t want to work with. This allows you to build new solutions as opposed to keeping old ones.

It makes you a 2x engineer

Conceptual breakthroughs are created by outstanding developers and used to have an impact across the board. Generative AI’s power is that any engineer can create any logic in reality at least 2x faster (PDF). This technology enables world-changing applications to be brought to market today instead of months or years from now.

****How To Prepare as a Developer****

Generative AI will soon be a basic skill for professional engineers, like using IDEs or version control. Here are key ways to get ahead of the curve:

*   Experiment with GitHub Copilot, Claude, and related playgrounds. Get firsthand experience prompts that can spark whole applications.

*   Don’t fear; these tools will “take your job.” Enhance your human creativity with AI as a force multiplier. Find gaps in existing models where humans still shine over pure automation.

*   Advocate for adopting these tools at your company early, before the competition does. Pitch how it benefits users and customers, alongside developers.

*   Develop feedback loops, sharing why certain generated outputs are valuable or inadequate. The more humans train models, the better they become for everyone.

*   Get to understand the latest research from the company and its efforts. To keep up to date with anthropic frontiers, sign up for newsletters and updates from pioneers: Anthropic, Cohere, Google and others.

AI will never have the capacity to master all tasks, whether those are too unique, dynamic or complex for AI to do on its own. However, use models for what they do well and augment your human skills. This will be the future path of development: combining minds with machines.

****Busting Myths that Generative AI Replaces Developers****

With any disruptive technology, fears and misconceptions often arise around impacts on jobs. Rest assured, human developers will remain essential even as generative AI becomes widespread.

Here are common myths about generative models replacing engineers rather than augmenting them:

*   **Myth.** AI can build full-stack consumer web apps today with no human involvement.

*   **Reality.** Modern systems only generate code, not deploy full-stack apps. You still need developers to integrate outputs, train models, and handle infrastructure.

*   **Myth.** These models understand user needs and product requirements without human input.

*   **Reality.** AI has no sense of end-user behaviour or product thinking. Humans must provide a creative vision and real-world grounding.

*   **Myth.** Generated code is highly reliable and secure.

*   **Reality.** Raw model outputs still contain bugs and vulnerabilities. Humans provide QA, testing, auditing and oversight where AI falls short.

*   **Myth.** Anyone can prompt an AI to build an app without programming skills.

*   **Reality.** You still need engineers to validate code quality, connect components, identify limitations, and guide iterative improvement.

The key is viewing AI as a supportive tool rather than a wholesale replacement. Developers themselves utilize generative models just as they do compilers, debuggers, and clouds. But human creativity, judgment, and oversight remain indispensable.

**Augmenting Developers for the Future**

Hopefully, this breakdown demystifies generative AI and why it matters. These technologies aim to free engineers from drudgery so they can focus on more fulfilling, impactful work only humans can perform.

However, development will transform in the next five to ten years. Those who embrace this shift will have the most dynamic, stimulating, and rewarding careers. Others who deny how software creation is changing risk frustrating obsolescence.

Increasing general coding and automated task democratization means more people can make more ambitious projects than ever before possible. The future of AI-assisted inventions is something developers should cheer about rather than fear, with things remaining the same.

An open-minded attitude towards human and AI coexistence allows engineers to dream bigger, and faster and to make those dreams real. Complex problems in the world are desperate for innovative applications. Shortcuts are provided to that long timeline imposed by traditional code: generative models.

So while modern AI does have clear limits, its rapid pace of progress makes anticipating its potential more prudent than downplaying its capabilities. Get hands-on experience today rather than dismissing models as toys. Help drive breakthroughs by training them ethically. Then code the future you wish to see.

Why Developers Should Care About Generative AI (Even They Aren’t AI Expert)

After hearing about ChatGPT o3 ability at geo-guessing we decided to run some tests and the tested AIs didn't fail to amaze us

If you are worried about revealing your exact location—or if you maybe even fib about it at times—there are some good reasons to worry about what is visible in background photos, because Artificial Intelligence (AI) is getting very good at guessing where you are based on the smallest of clues. And that might even include audio clues, if given the right data.

Our curiosity was triggered by this article in TechRadar claiming that ChatGPT o3 can geo-guess your location from almost any photo. So, we decided to do some tests and removed the metadata from a few selected photographs that I took myself and never published anywhere (for quality reasons, obviously).

Metadata can include technical details like camera settings, date and time, location, and descriptive information like captions or keywords. And we wanted to test the AI’s capability on the picture itself—not on additional data included in the file. I also used a VPN so I didn’t give away my current location.

We started with an easy one. A landmark in a relatively large city, but from a strange perspective. The picture was part of a selfie taken through a window of an office building in Cork.

view over Cork, Ireland

It was no real surprise that ChatGPT got this right.

> “Alright, let’s break this one down — this does have some standout features that make it easier to geo-locate. Here’s the reasoning step by step:”

> **🧱 Architectural Clues:**
> 
> *   The old stone building in the foreground has **Georgian-style windows and masonry**, which are common in parts of the British Isles, especially in **Ireland** and **the UK**.
> *   The clock tower in the back-left with the **green copper dome** is particularly distinctive and often used in civic buildings in Ireland.
> *   The **mix of historical and modern buildings**, with the newer glass-fronted offices across a small river or canal, suggests urban regeneration in a historically rich city.

> **🌉 Infrastructure and Environment:**
> 
> *   The modern bridge with a **blue banner advertisement** and the **tree-lined waterfront** hints at a city that integrates riverways into its urban design.
> *   The road signs and general driving direction suggest **left-hand traffic**, supporting a guess of **Ireland or the UK**.

> **🏛** **Key Landmark:**
> 
> The building with the green dome in the background looks **very much like the clock tower of Cork City Hall in Ireland**. The angle of the shot shows the old Custom House building in front, and the modern offices across the **River Lee**, which runs through Cork.

This was spot on. But surely ChatGPT is not the only AI good at geo-guessing, so we used the same picture to test Perplexity as well.

> “This image provides several strong clues for geo-guessing:
> 
> The architecture of the foreground building is classic Georgian or early Victorian, with grey stone and sash windows—styles common in the British Isles, especially Ireland and the UK.
> 
> The river, modern glass buildings, and the steel bridge suggest a city that blends historical and contemporary elements.
> 
> The most distinctive feature is the clock tower with a green dome in the background. This is a well-known landmark: the Cork Courthouse clock tower in Cork, Ireland.
> 
> The bridge over the river and the combination of old and new buildings align with the area around the River Lee in Cork city centre.
> 
> **Conclusion**
> 
> This photo was taken in Cork, Ireland, looking out over the River Lee. The stone building in the foreground is part of the historic courthouse complex, and the green-domed clock tower is a prominent feature of Cork’s skyline. The modern glass buildings and bridge further confirm this as central Cork, a city known for its mix of heritage and modern development.”

Perplexity provided almost the same level of accuracy, so we decided to raise the difficulty level. A lot.

Landscaping in progress around Dutch holiday home

You’ll have to agree that this photo doesn’t give away a lot. But the AI tools took some unexpected clues from the picture.

Here is what ChatGPT determined:

> **🧩 Visual Clues:**
> 
> 1.  **Architecture:**
>     *   The buildings are modular and prefabricated in appearance, with light-colored paneling and dark window/door frames.
>     *   This type of house is common in northern Europe, especially in the Netherlands, Germany, Denmark, or parts of the UK.
> 2.  **Landscape:**
>     *   Very flat terrain with closely trimmed hedges and grassy areas.
>     *   This suggests low-lying regions—again pointing to places like the Netherlands or Belgium.
> 3.  **Infrastructure & Construction Tools:**
>     *   The pavers being laid and the wheelbarrows used (particularly the yellow color and shape) are very common in northern and western European construction.
> 4.  **Weather and Lighting:**
>     *   Overcast sky and soft, diffused lighting typical of northern Europe in autumn or early spring.
> 5.  **Small Details:**
>     *   The small shed in the back, the organization of tools, and cleanliness/horticulture are consistent with Dutch/German design sensibilities.
>     *   The wheelbarrow has the brand name “Fort”, which is a Dutch manufacturer—this is a **very strong clue**.
> 
> **🌍** **Likely Guess:**
> 
> **The Netherlands** 🇳🇱
> 
> **📍****Narrowing it Down:**
> 
> Given the modular housing, flat landscape, and Fort-brand wheelbarrow, this could be a holiday park, construction site, or suburban area in the Dutch countryside. Possibly in a province like **North Holland**, **South Holland**, or **Friesland** where such structures and environments are typical.

I must admit I was amazed that it mentioned South Holland which is where this photograph was taken.

Perplexity did not come as close as ChatGPT, but the tool did reach this conclusion:

> “Based on architectural style, landscaping, and contextual clues, this scene is almost certainly from the Netherlands. It showcases the country’s embrace of modular housing and practical, tidy outdoor spaces, reflecting broader trends in Dutch residential design and sustainable living.”

Which is still a lot better than I expected when I selected that picture.

**Bird songs**

So, modern AI tools can pick up visible clues. But then I had another idea—call it an epiphany if you will—which deserves a brief explanation. I use an app called Merlin Bird ID which is able to identify birds based on their singing.

Some bird species are a lot more local than others, so I asked Perplexity:

> “Would it be possible to do geo-guessing based on bird songs? And how many species do you think it would take to make a good guess?”

The answer:

> “How Many Species Are Needed?
> 
> One Species: Sometimes, a single species is enough if it’s highly range-restricted (e.g., endemic to an island or a small region). However, this is rare.
> 
> A Few Species (3–5): In most cases, hearing three to five distinct species can allow for a strong guess, especially if their ranges only overlap in a limited area.
> 
> More Species, More Precision: The more species you can identify, the more precisely you can geo-locate. With about 10–15 species, especially if some are local specialties, you can often narrow it down to a specific region, habitat, or even a particular park or reserve.”

So, I tried an experiment and offered both AI tools (ChatGPT and Perplexity) a list of bird song matches made from my Merlin Bird ID app. Here is the bird list, and what they tell us about where those birds are located:

**Latin Name**

**Common Name**

**Clue**

**Fringilla coelebs**

Chaffinch

Common across Europe

**Turdus merula**

Eurasian Blackbird

Also common across Europe

**Parus major**

Great Tit

Ubiquitous, widespread

**Grus grus**

Common Crane

Migratory — breeds in Scandinavia, Baltics, parts of Central Europe; passage bird elsewhere

**Carduelis carduelis**

European Goldfinch

Europe and western Asia

**Turdus viscivorus**

Mistle Thrush

Forests, open woodland — common in Europe

**Certhia brachydactyla**

Short-toed Treecreeper

Tells us something — this species avoids northern/colder parts of Europe (rare in the UK, absent in Scandinavia)

**Ardea alba**

Great Egret

Formerly rare in Europe, but now expanding — increasingly common in wetlands and rivers of Central and Southern Europe

**Sylvia atricapilla**

Eurasian Blackcap

Woodland; migratory in north, resident in south

**Anthus trivialis**

Tree Pipit

Breeds in open woodlands across Europe; migratory

**Vanellus vanellus**

Northern Lapwing

Farmland, wet grasslands; declining in the west but still widespread

In analyzing this list, Perplexity was the “winner,” able to more accurately guess my location:

> “Given all of these factors, my best guess is that you were somewhere in Northern Europe, likely Germany, Denmark, the Netherlands, or the UK. Without more information about habitat (e.g., forest, farmland, coast), it’s difficult to narrow it down further.”

Here was ChatGPT’s response to the same bird song list:

> **🗺️** **My Final Geo-Guess:**
> 
> You were likely in **Germany** — possibly in **northern or eastern Germany** (e.g., Brandenburg or Mecklenburg-Vorpommern), which is:
> 
> *   On the **Grus grus migration route**
> *   Rich in mixed forests and wetlands
> *   Within the range of **Certhia brachydactyla**
> *   Likely to host **all the species** you heard, in late April

In reality, the birds were recorded near the Dutch-German border, which put ChatGPT off by almost 400 miles, whereas Perplexity mentioned both countries I was in or close to, but covered a large area with its geo-guess.

**Conclusion**

If you’re making selfies or vlogging and you don’t want to give away your location, you’ll need to be very aware of your visual and auditory surroundings. A wheelbarrow of a specific brand or the sound of a bird with a limited habitat are enough to provide hints about your location. With enough hints, AI can deduce your exact location.

With social media being used for AI training, it is likely that these results will rapidly gain even more in accuracy.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 AI is getting “creepy good” at geo-guessing 

Interlock ransomware group claims it stole 20TB of sensitive patient data from DaVita Healthcare. While the group has…

Interlock ransomware group claims it stole 20TB of sensitive patient data from DaVita Healthcare. While the group has leaked 1.5TB; it is offering the rest of the data for a price which includes the personal details of millions of patients.

Patients receiving critical kidney dialysis treatment from DaVita, a major healthcare provider, are now facing the possible exposure of their sensitive information. A group of cyber criminals from the Interlock ransomware has claimed responsibility for the cyberattack on the company and has begun posting what they say is stolen patient data on their dark web leak site.

This development comes just two weeks after DaVita, which operates a vast network of over 2,500 dialysis centres across the United States and hundreds more in 13 other countries, informed the US Securities and Exchange Commission about the ransomware attack, after which the company’s share fell by 3%, as reported by Investopedia.

As Hackread.com previously reported, the attack, which occurred around April 12th, involved the encryption of parts of DaVita’s computer systems, causing disruptions to their internal operations. At the time of their initial disclosure, DaVita stated they were implementing contingency plans to ensure uninterrupted patient care, a crucial service for individuals with end-stage renal disease who require dialysis multiple times a week to survive.

Now, Interlock, a relatively new ransomware group that began listing victims on its leak site in October 2024, is claiming to have stolen a massive 1.51 terabytes of data from DaVita. They have already posted samples of this alleged stolen information, raising serious concerns about the privacy of DaVita’s patients.

Screenshot from the Interlock Ransomware’s dark web leak site (Image credit: Hackread.com)

DaVita has acknowledged the dark web posting and stated they are in the process of thoroughly reviewing the data involved. “We are disappointed in these actions against the healthcare community and will continue to share helpful information with our vendors and partners to raise awareness on how to defend against these attacks in the future,” their spokesperson stated.

The potential scale of the breach is significant considering that DaVita served approximately 281,100 patients worldwide through its extensive network of over 3,000 outpatient dialysis centres in 2024.

Cybersecurity experts, including Paul Bischoff from Comparitech, note that Interlock has been linked to a growing number of confirmed attacks since its emergence. It is worth noting that this group has previously claimed responsibility for a cyberattack on Texas Tech University Health Sciences Centre, an incident that reportedly compromised the medical information of over 530,000 individuals.

This track record emphasises the potential severity of the current situation for DaVita and its patients. The full scope of the compromised data and the potential consequences for affected individuals are yet to be determined as DaVita continues its investigation.

Paul Bischoff, Consumer Privacy Advocate at Comparitech, commented on the latest development, stating, “Interlock began listing victims in October 2024, demanding ransom for decrypting systems and deleting stolen data. We’ve tracked 13 confirmed and 13 unconfirmed attacks by the group and in 2025 alone, there have been 17 confirmed ransomware attacks on US healthcare companies, with 80 more unconfirmed.”

“As seen with DaVita, these attacks can severely disrupt patient care and lead to long-term data privacy issues. In 2024, nearly 25.7 million records were breached across 160 healthcare ransomware incidents,” Paul revealed.

Interlock Ransomware Say It Stole 20TB of DaVita Healthcare Data

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-34g7-pg9j-pxgp: Moodle allows IDOR when accessing the cohorts report

A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-m8qh-hx4c-h9hr: Moodle has a CSRF risk in Brickfield tool's analysis request action

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3640

**Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users**

Moderate severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-6g5x-h5x7-q4mq: Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3635

**Moodle has a CSRF risk in user tours manager that allows tour duplication**

Low severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-88xj-97gf-7wpq: Moodle has a CSRF risk in user tours manager that allows tour duplication

A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3644

**Moodle's AJAX section delete does not respect course\_can\_delete\_section()**

Moderate severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-cpm7-mv33-jwf8: Moodle's AJAX section delete does not respect course_can_delete_section()

A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3636

**Moodle allows IDOR in RSS block, which allows access to additional RSS feeds**

Moderate severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-chmf-m33p-ph8m: Moodle allows IDOR in RSS block, which allows access to additional RSS feeds

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3637

**Moodle's mod\_data edit/delete pages pass CSRF token in GET parameter**

Low severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.3.12

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

Latest News