Vulnerability Details
Basic Information
| Title | Exploit for CVE-2025-26529 |
|---|---|
| Type | githubexploit |
| Published | 2025-05-03T20:34:54 |
| Last Seen | 2025-05-04T09:03:46 |
| CVSS Score | 8.3 (HIGH) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
CVE Information
| CVE IDs | CVE-2025-26529 |
|---|---|
| CWE | |
| Bulletin Family | exploit |
Description
This repository contains a comprehensive **Proof-of-Concept (PoC)** scanner and exploitation framework targeting **CVE-2025-26529**, a critical XSS vulnerability in vulnerable Moodle instances.
This tool is designed specifically for **UNISAβs Moodle portal** (`https://mymodules.dtls.unisa.ac.za`) and must **only** be used under proper authorization and compliance with legal and institutional guidelines.
—
## β οΈ DISCLAIMER
> π΅ **Authorized Use Only**
> This PoC is intended **exclusively for authorized UNISA cyber incident response and audit teams**.
> Misuse of this tool may lead to **criminal prosecution**.
> Developed by **ScaryByte**, in collaboration with UNISA teams.
—
## π¨ CVE Details
* **CVE-ID:** CVE-2025-26529
* **Type:** Reflected and DOM-based Cross-Site Scripting (XSS)
* **Impact:** Credential theft, session hijack, clickjacking, remote JS injection
* **Affected Software:** Moodle-based e-learning systems (core and unpatched plugins)
* **Attack Vector:** User input passed unsanitized to HTML context on vulnerable query routes
—
## π§ Requirements
Ensure Python 3.10+ is installed. Use a **virtualenv** for best isolation.
“`bash
sudo apt update && sudo apt install -y python3-pip chromium-driver
python3 -m venv venv-xss
source venv-xss/bin/activate
pip install -r requirements.txt
“`
### `requirements.txt`
“`txt
requests
beautifulsoup4
selenium
“`
—
## π Features
* β
CVE-2025-26529 reflected XSS payload testing
* β
DOM-based XSS detection using `MutationObserver`
* β
Cookie extraction and session hijack simulation
* β
Clickjacking iframe PoC generation
* β
Admin panel exposure verification
* β
Selenium-based rendering of DOM-XSS payloads
—
## π Files
| File | Description |
| ———————– | —————————————— |
| `xss_checker.py` | Main PoC script |
| `clickjack_poc.html` | Generated iframe-based clickjacking attack |
| `dom_xss_poc.html` | DOM XSS PoC with MutationObserver listener |
| `cve2025_full_scan.log` | Full exploit scan log |
| `requirements.txt` | Python dependencies |
—
## 𧲠Usage
Run the scanner from an authorized Kali Linux instance:
“`bash
python3 xss_checker.py
“`
Expected output:
* Status of publicly exposed files
* Payload reflection confirmation
* Cookies sniffed via `Set-Cookie` headers
* Admin panel accessibility
* DOM XSS PoC auto-loaded in headless browser
—
## π§ͺ DOM XSS PoC Preview
“`html
“`
—
## 𧬠Next Steps
* β
Validate PoC against staging and production environments.
* βΊ Extend to perform **authenticated session simulation**.
* π Integrate with **BurpSuite proxy** for full visibility.
—
## π Legal Notice
This tool is part of a **UNISA vulnerability verification mandate** for CVE-2025-26529.
You are **not authorized** to use this PoC on any domain **except `mymodules.dtls.unisa.ac.za`** unless explicitly permitted.
—
## π€ Credits
* π Maintained by [ScaryByte](https://scarybyte.online)
—
Impact Assessment
| Base Score | 8.3 |
|---|---|
| Severity | HIGH |