CVE-2025-67850: Moodle vulnerable to Cross-site Scripting
A flaw was found in Moodle. This vulnerability, known as Cross-site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor’s arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.
References
- access.redhat.com/security/cve/CVE-2025-67850
- bugzilla.redhat.com/show_bug.cgi?id=2423838
- github.com/advisories/GHSA-6mmv-f6c6-v6q8
- github.com/moodle/moodle
- github.com/moodle/moodle/commit/c85f153068a717a3b28bc122e75154bac99e67e1
- moodle.org/mod/forum/discuss.php?d=471300
- nvd.nist.gov/vuln/detail/CVE-2025-67850
Code Behaviors & Features
Detect and mitigate CVE-2025-67850 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →