Nixpkgs security tracker

Untriaged

Permalink CVE-2025-67850

7.3 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 2 months, 1 week ago

Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.

References

https://access.redhat.com/security/cve/CVE-2025-67850 vdb-entryx_refsource_REDHAT
RHBZ#2423838 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2025-67850 vdb-entryx_refsource_REDHAT
RHBZ#2423838 x_refsource_REDHATissue-tracking

Affected products

moodle

<4.5.8
<4.1.22
<5.0.4
<5.1.1
<4.4.12

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-unstable 5.0.1
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.1.1
nixos-25.11 5.0.4

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

nixos-unstable 2.3.13
- nixpkgs-unstable 2.3.13
- nixos-unstable-small 2.3.13
nixos-25.11 2.3.13

Package maintainers