← Retour aux CVEs

CVE-2025-60507

HIGH

8.9

Description

Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.

Details CVE

Score CVSS v3.18.9

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisLOW

Interaction utilisateurREQUIRED

Publie10/21/2025

Derniere modification10/21/2025

Sourcenvd

Observations honeypot0

Faiblesses (CWE)

CWE-79

References

https://github.com/onurcangnc/moodle_genai_plugin_xss(cve@mitre.org)

https://moodle.org/plugins/local_geniai(cve@mitre.org)

https://moodle.org/security/(cve@mitre.org)

https://onurcangenc.com.tr/posts/moodle-genia%C4%B1-plugin-vulnerability-stored-reflected-xss-via-pdf-upload-and-chatbot-%C4%B1nput/(cve@mitre.org)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.