Moodle allows reflected XSS via question bank filter · CVE-2025-26530 · GitHub Advisory Database · GitHub

Moodle allows reflected XSS via question bank filter

High severity GitHub Reviewed Published Feb 24, 2025 to the GitHub Advisory Database • Updated Feb 24, 2025

Package

moodle/moodle (Composer)

Affected versions

>= 4.5.0-beta, < 4.5.2

>= 4.4.0-beta, < 4.4.6

>= 4.3.0-beta, < 4.3.10

Patched versions

4.5.2

4.4.6

4.3.10

Description

The question bank filter required additional sanitizing to prevent a reflected XSS risk.

References

Published by the National Vulnerability Database

Feb 24, 2025

Published to the GitHub Advisory Database Feb 24, 2025

Reviewed Feb 24, 2025

Last updated Feb 24, 2025

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H