CVE-2025-67851
Formula Injection Vulnerability in Moodle Export Risks Data Integrity
Publication date: 2026-02-03
Last updated on: 2026-02-11
Assigner: Fedora Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moodle | moodle | From 4.4.0 (inc) to 4.4.11 (exc) |
| moodle | moodle | From 4.5.0 (inc) to 4.5.8 (exc) |
| moodle | moodle | From 5.0.0 (inc) to 5.0.4 (exc) |
| moodle | moodle | 5.1.0 |
| moodle | moodle | to 4.1.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a formula injection flaw in Moodle that happens when data fields are exported without proper escaping. A remote attacker can insert malicious data that, when exported and opened in a spreadsheet, executes arbitrary formulas. This can lead to compromised data integrity and unintended spreadsheet operations. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to execute arbitrary formulas within exported spreadsheet files. This can compromise the integrity of your data and cause unintended operations or actions within the spreadsheet, potentially leading to data corruption or misuse. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that data fields exported from Moodle are properly escaped to prevent formula injection. Avoid opening exported spreadsheet files from untrusted sources without verification. Apply any available patches or updates from Moodle or your Linux distribution that address this issue. Additionally, review and restrict user input that can be exported to spreadsheets to prevent malicious formula injection. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary formula execution within exported spreadsheet files, which can compromise data integrity and cause unintended operations. Such compromise of data integrity may impact compliance with standards and regulations like GDPR and HIPAA that require protection of data accuracy and integrity.
However, there is no explicit information provided about direct effects on compliance with these regulations or specific controls impacted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by inspecting exported spreadsheet files from Moodle for the presence of unescaped formula characters (such as '=', '+', '-', or '@') at the beginning of data fields. Since the issue arises when data fields are exported without proper escaping, checking exported CSV or spreadsheet files for such patterns can help identify potential exploitation."}, {'type': 'paragraph', 'content': 'You can use command-line tools to search for suspicious formula injections in exported files. For example, using grep to find lines starting with formula characters in exported CSV files:'}, {'type': 'list_item', 'content': "grep -E '^(=|\\+|-|@)' exported_file.csv"}, {'type': 'paragraph', 'content': 'Additionally, reviewing Moodle export logs or monitoring export processes for unusual data inputs may help detect attempts to exploit this vulnerability.'}] [1]