CVE-2025-3635

LOW

Moodle < 4.1.18 - CSRF

Title source: rule

Description

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

References (2)

[Third Party Advisory] https://access.redhat.com/security/cve/CVE-2025-3635

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2359709

Scores

CVSS v3 3.5

EPSS 0.0012

EPSS Percentile 31.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-352

Status published

Affected Products (2)

moodle/moodle < 4.1.18

moodle/moodle < 4.1.18Packagist

Timeline

Published Apr 25, 2025

Tracked Since Feb 18, 2026