Nixpkgs security tracker

Untriaged

Permalink CVE-2025-67851

6.1 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): HIGH
Availability impact (A): LOW

created 2 months, 1 week ago

Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

References

https://access.redhat.com/security/cve/CVE-2025-67851 vdb-entryx_refsource_REDHAT
RHBZ#2423841 x_refsource_REDHATissue-tracking
https://moodle.org/mod/forum/discuss.php?d=471301

Affected products

moodle

<4.5.8
<4.1.22
<5.0.4
<5.1.1
<4.4.12

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-unstable 5.0.1
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.1.1
nixos-25.11 5.0.4

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

nixos-unstable 2.3.13
- nixpkgs-unstable 2.3.13
- nixos-unstable-small 2.3.13
nixos-25.11 2.3.13

Package maintainers