Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai...

7.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Description

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.

Basic Information

ID CVE-2025-67849

Source fedora

Published Feb 3, 2026 at 10:52

Affected Product

Version 5.1.0

Affected Versions 4.5.0
5.0.0
5.1.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.",
    "published": "2026-02-03T10:52:01.127Z",
    "modified": "2026-02-03T10:52:01.127Z",
    "type": "cve",
    "title": "Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses",
    "source": "fedora",
    "references": "https://access.redhat.com/security/cve/CVE-2025-67849\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2423835",
    "id": "CVE-2025-67849",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "  4.5.0\n  5.0.0\n  5.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "",
    "version": "5.1.0",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses_CVE-2025-67849