CVE-2025-26529
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Moodle's site administration live log allows attackers to inject malicious scripts that execute when administrators view the log. It affects Moodle administrators who access the vulnerable administration interface. The vulnerability requires administrative access to exploit.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could inject malicious JavaScript that steals administrator credentials, performs actions as administrators, or installs backdoors when other admins view the live log.
Likely Case
Malicious admin injects scripts to maintain persistence, steal session cookies, or perform unauthorized actions through other administrators' browsers.
If Mitigated
With proper input validation and output encoding, the injected scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires administrative access to inject malicious content into the live log, which then executes when other administrators view the log.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions containing commit MDL-84145
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=466145
Restart Required: No
Instructions:
1. Update Moodle to a version containing the MDL-84145 fix. 2. Check the Moodle git repository for the specific commit. 3. Apply the patch if manual patching is required.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to trusted personnel only and implement strong authentication controls.
Disable Live Log Feature
allTemporarily disable the site administration live log feature if not essential.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Monitor admin user activity and review live log access patterns for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check if your Moodle version includes the MDL-84145 commit by examining the git history or version changelog.Check Version:
Check Moodle version via admin interface or config.php fileVerify Fix Applied:
Verify the fix by checking that user input in the live log is properly HTML-encoded when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript or HTML content in live log entries
- Multiple admin sessions from same user
Network Indicators:
- Unexpected outbound connections from admin browsers after viewing logs
SIEM Query:
Search for: 'live log' AND (javascript: OR <script> OR onload=) in admin access logs