← Zuruck zu CVEs

CVE-2025-60507

HIGH

8.9

Beschreibung

Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.

CVE Details

CVSS v3.1 Bewertung8.9

SchweregradHIGH

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienLOW

BenutzerinteraktionREQUIRED

Veroffentlicht10/21/2025

Zuletzt geandert10/21/2025

Quellenvd

Honeypot-Sichtungen0

Schwachen (CWE)

CWE-79

Referenzen

https://github.com/onurcangnc/moodle_genai_plugin_xss(cve@mitre.org)

https://moodle.org/plugins/local_geniai(cve@mitre.org)

https://moodle.org/security/(cve@mitre.org)

https://onurcangenc.com.tr/posts/moodle-genia%C4%B1-plugin-vulnerability-stored-reflected-xss-via-pdf-upload-and-chatbot-%C4%B1nput/(cve@mitre.org)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.