Stored XSS Vulnerability in Moodle Drag-and-Drop Image Question Type
CVE-2025-26528

3.4LOW

Key Information:

Vendor: Moodle Project
Status: Moodle
Vendor: CVE Published:; 24 February 2025

Summary

A vulnerability exists in the drag-and-drop onto image question type (ddimageortext) in Moodle, where insufficient sanitization of input can lead to a stored XSS vulnerability. This flaw allows an attacker to inject malicious scripts that can be executed in the context of other users who access the affected content. It is crucial for administrators and educators using Moodle to apply necessary patches and updates to mitigate this risk, ensuring the integrity and security of the platform.

Affected Version(s)

moodle 4.5.0 < 4.5.2

moodle 4.4.0 < 4.4.6

moodle 4.3.0 < 4.3.10

References

https://moodle.org/mod/forum/discuss.php?d=466144

vendor-advisory

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=...

patch

CVSS V3.1

Score:

3.4

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 24, 2025
Vulnerability Reserved
Feb 12, 2025