Reflected Cross-Site Scripting Vulnerability in Moodle by Moodle
CVE-2025-3643

5.4MEDIUM

Key Information:

Vendor

Moodle
Status
Vendor
CVE Published:
25 April 2025

What is CVE-2025-3643?

A security flaw in Moodle has been identified that exposes the platform to a reflected Cross-site Scripting (XSS) attack. The vulnerability arises from insufficient sanitization of the return URL in the policy tool, allowing attackers to inject malicious scripts. This flaw can enable cybercriminals to bypass security measures and execute harmful scripts in the context of a user's browser, posing significant risks to user data and privacy. It is crucial for administrators to apply the necessary patches and updates to safeguard their Moodle installations and protect against potential exploits.

References

https://access.redhat.com/security/cve/CVE-2025-3643
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2359742
issue-trackingx_refsource_REDHAT
https://moodle.org/mod/forum/discuss.php?d=467604

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.