Cross-Site Request Forgery Vulnerability in Moodle's Brickfield Tool
CVE-2025-3638

8.8HIGH

Key Information:

Vendor: Moodle
Status
Vendor: CVE Published:; 25 April 2025

What is CVE-2025-3638?

A vulnerability has been identified in Moodle's Brickfield Tool, where the analysis request action fails to include a required token. This oversight exposes the system to potential Cross-Site Request Forgery (CSRF) attacks, allowing malicious actors to perform unintended actions on behalf of users without their consent. It is essential for users to understand the implications of this flaw and take appropriate measures to protect their systems from unauthorized access.

References

https://access.redhat.com/security/cve/CVE-2025-3638

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2359732

issue-trackingx_refsource_REDHAT

https://moodle.org/mod/forum/discuss.php?d=467600

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Red Hat would like to thank Vincent Schneider for reporting this issue.