Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0138
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Moodle. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Moodle versions 4.3.x ant\u00e9rieures \u00e0 4.3.10",
"product": {
"name": "Moodle",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.1.x ant\u00e9rieures \u00e0 4.1.16",
"product": {
"name": "Moodle",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.5.x ant\u00e9rieures \u00e0 4.5.2",
"product": {
"name": "Moodle",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.4.x ant\u00e9rieures \u00e0 4.4.6",
"product": {
"name": "Moodle",
"vendor": {
"name": "Moodle",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-26528",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26528"
},
{
"name": "CVE-2025-26529",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26529"
},
{
"name": "CVE-2024-38999",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38999"
},
{
"name": "CVE-2025-26527",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26527"
},
{
"name": "CVE-2025-26533",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26533"
},
{
"name": "CVE-2025-26532",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26532"
},
{
"name": "CVE-2025-26530",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26530"
},
{
"name": "CVE-2025-26526",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26526"
},
{
"name": "CVE-2025-26525",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26525"
},
{
"name": "CVE-2025-26531",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26531"
}
],
"initial_release_date": "2025-02-18T00:00:00",
"last_revision_date": "2025-02-18T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0138",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-02-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Moodle. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Moodle",
"vendor_advisories": [
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0006",
"url": "https://moodle.org/mod/forum/discuss.php?d=466146"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0003",
"url": "https://moodle.org/mod/forum/discuss.php?d=466143"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0002",
"url": "https://moodle.org/mod/forum/discuss.php?d=466142"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0004",
"url": "https://moodle.org/mod/forum/discuss.php?d=466144"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0007",
"url": "https://moodle.org/mod/forum/discuss.php?d=466147"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0008",
"url": "https://moodle.org/mod/forum/discuss.php?d=466148"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0009",
"url": "https://moodle.org/mod/forum/discuss.php?d=466149"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0005",
"url": "https://moodle.org/mod/forum/discuss.php?d=466145"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0010",
"url": "https://moodle.org/mod/forum/discuss.php?d=466150"
},
{
"published_at": "2025-02-18",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-25-0001",
"url": "https://moodle.org/mod/forum/discuss.php?d=466141"
}
]
}
CVE-2025-26525 (GCVE-0-2025-26525)
Vulnerability from cvelistv5
Published
2025-02-24 19:31
Modified
2025-02-24 20:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Summary
Insufficient sanitizing in the TeX notation filter resulted in an
arbitrary file read risk on sites where pdfTeX is available (such as
those with TeX Live installed).
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ Version: 4.1.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T19:59:34.025897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T19:59:42.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.1.16",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "4.2.0",
"versionType": "semver"
},
{
"lessThan": "4.0.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient sanitizing in the TeX notation filter resulted in an \narbitrary file read risk on sites where pdfTeX is available (such as \nthose with TeX Live installed)."
}
],
"value": "Insufficient sanitizing in the TeX notation filter resulted in an \narbitrary file read risk on sites where pdfTeX is available (such as \nthose with TeX Live installed)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:10:27.216Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466141"
},
{
"tags": [
"patch"
],
"url": "https://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-84136"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Arbitrary file read risk through pdfTeX",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26525",
"datePublished": "2025-02-24T19:31:43.881Z",
"dateReserved": "2025-02-12T13:29:39.335Z",
"dateUpdated": "2025-02-24T20:10:27.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26531 (GCVE-0-2025-26531)
Vulnerability from cvelistv5
Published
2025-02-24 20:02
Modified
2025-02-25 14:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Insufficient capability checks made it possible to disable badges a user does not have permission to access.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ Version: 4.1.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26531",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:19:42.478063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:19:51.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.1.16",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.0.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "4.2.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient capability checks made it possible to disable badges a user does not have permission to access."
}
],
"value": "Insufficient capability checks made it possible to disable badges a user does not have permission to access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:02:57.732Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466148"
},
{
"tags": [
"patch"
],
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-84239"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IDOR in badges allows disabling of arbitrary badges",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26531",
"datePublished": "2025-02-24T20:02:57.732Z",
"dateReserved": "2025-02-12T13:29:39.337Z",
"dateUpdated": "2025-02-25T14:19:51.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26532 (GCVE-0-2025-26532)
Vulnerability from cvelistv5
Published
2025-02-24 20:05
Modified
2025-02-25 14:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ Version: 4.1.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:19:04.443547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:19:13.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.1.16",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.0.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "4.2.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored."
}
],
"value": "Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:05:21.153Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466149"
},
{
"tags": [
"patch"
],
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-84003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Teachers can evade trusttext config when restoring glossary entries",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26532",
"datePublished": "2025-02-24T20:05:21.153Z",
"dateReserved": "2025-02-12T13:29:39.337Z",
"dateUpdated": "2025-02-25T14:19:13.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26529 (GCVE-0-2025-26529)
Vulnerability from cvelistv5
Published
2025-02-24 19:52
Modified
2025-02-24 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Description information displayed in the site administration live log
required additional sanitizing to prevent a stored XSS risk.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ Version: 4.1.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T20:05:38.160784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:07:14.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.1.16",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "4.2.0",
"versionType": "semver"
},
{
"lessThan": "4.0.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Description information displayed in the site administration live log \nrequired additional sanitizing to prevent a stored XSS risk."
}
],
"value": "Description information displayed in the site administration live log \nrequired additional sanitizing to prevent a stored XSS risk."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:14:08.198Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466145"
},
{
"tags": [
"patch"
],
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-84145"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS risk in admin live log",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26529",
"datePublished": "2025-02-24T19:52:48.821Z",
"dateReserved": "2025-02-12T13:29:39.336Z",
"dateUpdated": "2025-02-24T20:14:08.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26533 (GCVE-0-2025-26533)
Vulnerability from cvelistv5
Published
2025-02-24 20:07
Modified
2025-02-25 14:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
An SQL injection risk was identified in the module list filter within course search.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ Version: 4.1.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26533",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:35:13.711277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:35:34.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.1.16",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.0.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "4.2.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:41:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An SQL injection risk was identified in the module list filter within course search."
}
],
"value": "An SQL injection risk was identified in the module list filter within course search."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:07:44.582Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466150"
},
{
"tags": [
"patch"
],
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-84271"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection risk in course search module list filter",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26533",
"datePublished": "2025-02-24T20:07:44.582Z",
"dateReserved": "2025-02-12T13:29:39.337Z",
"dateUpdated": "2025-02-25T14:35:34.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26526 (GCVE-0-2025-26526)
Vulnerability from cvelistv5
Published
2025-02-24 19:39
Modified
2025-02-24 20:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Separate Groups mode restrictions were not factored into permission
checks before allowing viewing or deletion of responses in Feedback
activities.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ Version: 4.1.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T19:58:41.267874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T19:58:53.747Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.1.16",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "4.2.0",
"versionType": "semver"
},
{
"lessThan": "4.0.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Separate Groups mode restrictions were not factored into permission \nchecks before allowing viewing or deletion of responses in Feedback \nactivities."
}
],
"value": "Separate Groups mode restrictions were not factored into permission \nchecks before allowing viewing or deletion of responses in Feedback \nactivities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:11:24.973Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466142"
},
{
"tags": [
"patch"
],
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-79976"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Feedback response viewing and deletions did not respect Separate Groups mode",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26526",
"datePublished": "2025-02-24T19:39:23.646Z",
"dateReserved": "2025-02-12T13:29:39.335Z",
"dateUpdated": "2025-02-24T20:11:24.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26528 (GCVE-0-2025-26528)
Vulnerability from cvelistv5
Published
2025-02-24 19:50
Modified
2025-02-24 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ Version: 4.1.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T20:03:52.892987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:04:22.319Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.1.16",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "4.2.0",
"versionType": "semver"
},
{
"lessThan": "4.0.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk."
}
],
"value": "The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:13:02.785Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466144"
},
{
"tags": [
"patch"
],
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-82896"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in ddimageortext question type",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26528",
"datePublished": "2025-02-24T19:50:11.812Z",
"dateReserved": "2025-02-12T13:29:39.336Z",
"dateUpdated": "2025-02-24T20:13:02.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26527 (GCVE-0-2025-26527)
Vulnerability from cvelistv5
Published
2025-02-24 19:44
Modified
2025-02-24 20:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Summary
Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ Version: 4.1.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26527",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T19:57:30.268527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T19:58:10.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.1.16",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "4.2.0",
"versionType": "semver"
},
{
"lessThan": "4.0.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block."
}
],
"value": "Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230 Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:12:14.116Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466143"
},
{
"tags": [
"patch"
],
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-83941"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Non-searchable tags can still be discovered on the tag search page and in the tags block",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26527",
"datePublished": "2025-02-24T19:44:06.228Z",
"dateReserved": "2025-02-12T13:29:39.336Z",
"dateUpdated": "2025-02-24T20:12:14.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38999 (GCVE-0-2024-38999)
Vulnerability from cvelistv5
Published
2024-07-01 00:00
Modified
2024-08-02 04:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jrburke:requirejs:2.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "requirejs",
"vendor": "jrburke",
"versions": [
{
"status": "affected",
"version": "2.3.6"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38999",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T15:59:34.204957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T16:00:29.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T12:49:23.049244",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-38999",
"datePublished": "2024-07-01T00:00:00",
"dateReserved": "2024-06-21T00:00:00",
"dateUpdated": "2024-08-02T04:19:20.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26530 (GCVE-0-2025-26530)
Vulnerability from cvelistv5
Published
2025-02-24 19:56
Modified
2025-02-24 20:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
The question bank filter required additional sanitizing to prevent a reflected XSS risk.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Moodle Project | moodle |
Version: 4.5.0 ≤ Version: 4.4.0 ≤ Version: 4.3.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T20:05:56.789340Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T20:06:40.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "Moodle Project",
"versions": [
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.3.10",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.2.*",
"status": "unknown",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-02-18T05:39:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The question bank filter required additional sanitizing to prevent a reflected XSS risk."
}
],
"value": "The question bank filter required additional sanitizing to prevent a reflected XSS risk."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T19:56:14.586Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://moodle.org/mod/forum/discuss.php?d=466146"
},
{
"tags": [
"patch"
],
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-84146"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected XSS via question bank filter",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-26530",
"datePublished": "2025-02-24T19:56:14.586Z",
"dateReserved": "2025-02-12T13:29:39.336Z",
"dateUpdated": "2025-02-24T20:06:40.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…