← Back to CVEs

CVE-2025-60507

HIGH

8.9

Description

Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.

CVE Details

CVSS v3.1 Score8.9

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionREQUIRED

Published10/21/2025

Last Modified10/21/2025

Sourcenvd

Honeypot Sightings0

Weaknesses (CWE)

CWE-79

References

https://github.com/onurcangnc/moodle_genai_plugin_xss(cve@mitre.org)

https://moodle.org/plugins/local_geniai(cve@mitre.org)

https://moodle.org/security/(cve@mitre.org)

https://onurcangenc.com.tr/posts/moodle-genia%C4%B1-plugin-vulnerability-stored-reflected-xss-via-pdf-upload-and-chatbot-%C4%B1nput/(cve@mitre.org)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.