CVE-2025-67855
Unknown Unknown - Not Provided
Reflected XSS in Moodle Policy Tool Enables Script Injection

Publication date: 2026-02-03

Last updated on: 2026-02-11

Assigner: Fedora Project

Description
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67855
EUVD
EUVD-2025-206749
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
moodle moodle From 4.4.0 (inc) to 4.4.11 (exc)
moodle moodle From 4.5.0 (inc) to 4.5.8 (exc)
moodle moodle From 5.0.0 (inc) to 5.0.4 (exc)
moodle moodle 5.1.0
moodle moodle to 4.1.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw in Mooodle's policy tool return URL. It occurs because the application does not properly sanitize URL parameters, allowing an attacker to craft malicious links that inject and execute scripts in the user's browser when they click the link. [1]

Impact Analysis

Exploitation of this vulnerability can lead to information disclosure and arbitrary client-side script execution within the user's browser. This means attackers could steal sensitive information or perform actions on behalf of the user without their consent. [1]

Detection Guidance

This vulnerability can be detected by testing the policy tool's return URL for reflected Cross-Site Scripting (XSS) by injecting typical XSS payloads into URL parameters and observing if they are reflected unsanitized in the response. Commands using tools like curl or wget can be used to send crafted requests with XSS payloads, for example: curl -v 'http://target/mooodle/policytool?returnUrl=<script>alert(1)</script>'. Monitoring web server logs for suspicious URL parameters or using web vulnerability scanners that test for reflected XSS can also help detect this issue. [1]

Mitigation Strategies

Immediate mitigation steps include applying any available patches or updates from the vendor addressing this vulnerability. If patches are not yet available, consider implementing input validation and sanitization on URL parameters at the web application or web server level, or using a Web Application Firewall (WAF) to block malicious payloads. Additionally, educating users to avoid clicking on suspicious links and monitoring for exploitation attempts can help reduce risk. [1]

Compliance Impact

The vulnerability allows for reflected Cross-Site Scripting (XSS) attacks that can lead to information disclosure and arbitrary client-side script execution. Such risks can potentially impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access or disclosure.

However, the provided information does not explicitly describe the direct effects of this vulnerability on compliance with these regulations or any specific compliance implications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67855. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart