CVE-2025-67855
MEDIUMMoodle < 4.1.22 - Reflected Cross-Site Scripting via Policy Tool Return URL
Title source: llmDescription
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser.
References (2)
Core 2
Core References
Third Party Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-67855
Third Party Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2423861
Scores
CVSS v3
5.4
EPSS
0.0003
EPSS Percentile
9.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
moodle/moodle
5.1.0
moodle/moodle
< 4.1.22
moodle/moodle
0 - 4.1.22Packagist
Published
Feb 03, 2026
Tracked Since
Feb 18, 2026