Moodle Security Flaw Allows Unauthorized Duplication of Tours
CVE-2025-3635

Currently unrated

Key Information:

Vendor: Moodle
Status
Vendor: CVE Published:; 25 April 2025

What is CVE-2025-3635?

A vulnerability has been identified in Moodle that enables unauthorized users to duplicate existing tours without authentication due to insufficient safeguards against cross-site request forgery (CSRF) attacks. This security oversight allows malicious actors to exploit the vulnerability, potentially leading to unauthorized content manipulation and user experience degradation within Moodle environments.

References

https://access.redhat.com/security/cve/CVE-2025-3635

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2359709

issue-trackingx_refsource_REDHAT

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Red Hat would like to thank Vincent Schneider for reporting this issue.