Mooodle: mooodle: information disclosure and script execution via reflected cross-site scripting
Description
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected Cross-Site Scripting (XSS) in Moodle's policy tool return URL allows script injection via unsanitized URL parameters, leading to information disclosure or arbitrary execution.
The vulnerability is a reflected Cross-Site Scripting (XSS) flaw found in Moodle's policy tool return URL. The root cause is insufficient sanitization of URL parameters, specifically in the clean_param_value_localurl function. As shown in a recent commit [4], the check for javascript URIs was enhanced to block more variants, indicating that previous filtering could be bypassed. This aligns with the official description [1][2] which states that insufficient sanitization allows malicious script injection.
Exploitation occurs remotely by convincing a user to click a crafted link containing a malicious payload in the return URL parameter. The attacker does not require authentication to craft the link, making it a classic reflected XSS attack. When the victim clicks the link and interacts with the policy tool, the injected script executes in their browser context, as described in the security advisory [1][2].
Successful exploitation can lead to information disclosure or arbitrary client-side script execution. An attacker could potentially steal session cookies, perform actions on behalf of the victim, or deface pages within the Moodle instance. The impact is limited by the attacker's ability to craft a convincing phishing link, but the consequences could be severe if a user with administrative privileges falls for the attack [1][2].
A fix has been implemented in Moodle's development repository [4] and likely included in a subsequent release. Users are advised to update to the latest patched version. The open-source nature of Moodle [3] allows administrators to review the commit and apply it if an update is not immediately possible. Red Hat's advisory [1] also acknowledges the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.22 | 4.1.22 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.12 | 4.4.12 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.8 | 4.5.8 |
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.4 | 5.0.4 |
moodle/moodlePackagist | >= 5.1.0-beta, < 5.1.1 | 5.1.1 |
Affected products
2Patches
10c146aa2612fMDL-86544 lib: Adjust checks on local URL params
1 file changed · +4 −2
public/lib/classes/param.php+4 −2 modified@@ -1067,8 +1067,10 @@ protected function clean_param_value_localurl(mixed $param): string { // Absolute, and matches our wwwroot. } else { // Relative - let's make sure there are no tricks. - if (validateUrlSyntax('/' . $param, 's-u-P-a-p-f+q?r?') && - !preg_match('/javascript(?:.*\/{2,})?:/i', rawurldecode($param))) { + if ( + validateUrlSyntax('/' . $param, 's-u-P-a-p-f+q?r?') && + !preg_match('/\bjavascript\b[\s\S]*?(?:\:|\/)/i', rawurldecode($param)) + ) { // Valid relative local URL. } else { $param = '';
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vwhw-vp9v-q9c9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67855ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-67855ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/moodle/moodle/commit/0c146aa2612fb6d0544f200a018cb42da75db713ghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.