CVE-2025-67849

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

A

flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2025-67849	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2423835	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle:5.1.0:-::::::

History

11 Feb 2026, 18:31

Type	Values Removed	Values Added
First Time		Moodle Moodle moodle
References	~~() https://access.redhat.com/security/cve/CVE-2025-67849 -~~	() https://access.redhat.com/security/cve/CVE-2025-67849 - Third Party Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2423835 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2423835 - Issue Tracking, Third Party Advisory
CPE		cpe:2.3:a:moodle:moodle:::::::: cpe:2.3:a:moodle:moodle:5.1.0:-::::::

03 Feb 2026, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-03 11:15

Updated : 2026-02-11 18:31

NVD link : CVE-2025-67849

Mitre link : CVE-2025-67849

CVE.ORG link : CVE-2025-67849

JSON object : View

Products Affected

moodle

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-67849", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-02-03T11:15:55.067", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-67849", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423835", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated."}], "lastModified": "2026-02-11T18:31:37.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C0CC5CF8-4808-41A5-B8A1-B0D6C575E5DC", "versionEndExcluding": "4.5.8", "versionStartIncluding": "4.5.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06F81442-AEEB-483D-90A9-93DDBA5B95D6", "versionEndExcluding": "5.0.4", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:5.1.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "567FEE12-0E75-4F0C-B22E-E76990C80E1B"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}