CVE-2025-60507
📋 TL;DR
An authenticated user with Teacher role in Moodle can upload a PDF containing malicious JavaScript to the GeniAI plugin. When other users click the generated HTML link, the script executes in their browser, potentially compromising their accounts or stealing session data. All Moodle instances using the vulnerable GeniAI plugin version are affected.
💻 Affected Systems
- Moodle GeniAI plugin (local_geniai)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Teacher uploads malicious PDF, administrator clicks link, attacker gains admin privileges, steals all user data, and takes full control of the Moodle instance.
Likely Case
Teacher uploads PDF with JavaScript that steals session cookies when students click the link, allowing account takeover of multiple users.
If Mitigated
Script execution is blocked by browser security features or Content Security Policy, limiting impact to minor UI manipulation.
🎯 Exploit Status
Exploit requires Teacher role access. Public proof-of-concept demonstrates PDF creation and XSS payload delivery.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://moodle.org/security/
Restart Required: No
Instructions:
1. Check Moodle security advisories for official patch. 2. If patch available, update GeniAI plugin via Moodle plugin manager. 3. Verify plugin version after update.
🔧 Temporary Workarounds
Disable GeniAI plugin
allTemporarily disable the vulnerable plugin until patch is available
Navigate to Site administration > Plugins > Manage plugins > Disable local_geniai
Restrict Teacher upload permissions
allRemove PDF upload capability from Teacher role
Navigate to Site administration > Users > Permissions > Define roles > Edit Teacher role > Remove mod/assign:submit capability
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to block inline script execution
- Monitor PDF uploads and suspicious file activity in Moodle logs
🔍 How to Verify
Check if Vulnerable:
Check GeniAI plugin version in Moodle admin panel: Site administration > Plugins > Manage plugins > local_geniaiCheck Version:
Not applicable - check via Moodle web interfaceVerify Fix Applied:
Verify plugin version is updated beyond 2.3.6 or plugin is disabled📡 Detection & Monitoring
Log Indicators:
- Unusual PDF uploads by Teacher accounts
- Multiple users accessing same GeniAI-generated links
Network Indicators:
- Unexpected JavaScript execution in Moodle context
- Suspicious outbound connections from Moodle sessions
SIEM Query:
source="moodle_logs" AND (event="file_uploaded" AND file_type="pdf") OR (event="plugin_activity" AND plugin="local_geniai")