Login Sign Up

CVE-2025-3638

8.8 HIGH
CSRF

📋 TL;DR

This CSRF vulnerability in Moodle's Brickfield tool allows attackers to trick authenticated users into unknowingly submitting analysis requests. Any Moodle instance with the Brickfield tool enabled is affected, potentially allowing unauthorized content analysis.

💻 Affected Systems

Products:
  • Moodle
Versions: Specific versions not yet published in references, but affects Moodle with Brickfield tool
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Brickfield tool to be enabled and accessible to authenticated users

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could force administrators to analyze arbitrary content, potentially exposing sensitive course data or causing denial of service through resource exhaustion.

🟠

Likely Case

Unauthorized analysis requests submitted through administrator accounts, potentially revealing course structure or content metadata.

🟢

If Mitigated

Limited impact with proper CSRF protections and user awareness training.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated user interaction but CSRF attacks are well-understood and easy to implement

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Moodle security advisory for specific version

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=467600

Restart Required: No

Instructions:

1. Check Moodle security advisory for patched version. 2. Update Moodle to patched version. 3. Verify Brickfield tool functionality.

🔧 Temporary Workarounds

Disable Brickfield Tool

all

Temporarily disable the Brickfield accessibility analysis tool

Navigate to Site administration > Plugins > Activity modules > Brickfield accessibility review > Disable

Implement Additional CSRF Protections

all

Add custom CSRF token validation for Brickfield endpoints

🧯 If You Can't Patch

  • Restrict access to Brickfield tool to trusted administrators only
  • Implement web application firewall rules to detect CSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check if Moodle version is affected and Brickfield tool is enabled in Site administration

Check Version:

Check Moodle version in Site administration > Notifications or via moodle/admin/index.php

Verify Fix Applied:

Verify Moodle version is updated to patched version and test Brickfield analysis functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple analysis requests from same user in short timeframe
  • Analysis requests without proper referrer headers

Network Indicators:

  • POST requests to Brickfield endpoints without CSRF tokens
  • Unusual analysis request patterns

SIEM Query:

web_access_logs WHERE url CONTAINS 'brickfield' AND NOT (referrer CONTAINS 'moodle' OR parameters CONTAINS 'sesskey')

📊 Metadata

CVE ID: CVE-2025-3638
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
EPSS Score: 0.05% exploit probability (14th percentile)
Published: April 25, 2025
Last Updated: June 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3638, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)