CVE-2025-67850
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Moodle allows attackers to inject malicious JavaScript code into arithmetic expression fields in the formula editor. When other users view these compromised expressions, the malicious code executes in their browsers, potentially stealing session cookies, credentials, or performing unauthorized actions. All Moodle instances with vulnerable versions are affected.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to the Moodle instance, modify course content, access sensitive student data, or deploy ransomware-like attacks on the platform.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access their private data, submit assignments on their behalf, or modify grades in courses where they have instructor access.
If Mitigated
With proper input validation and output encoding, the malicious payload would be rendered as harmless text rather than executable code, preventing any exploitation.
🎯 Exploit Status
Exploitation requires the attacker to have access to create or edit content with formula editor fields (typically requires at least student-level access). The XSS payload would then affect users who view that content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Moodle security advisory for specific patched version
Vendor Advisory: https://moodle.org/security/
Restart Required: No
Instructions:
1. Check Moodle security advisory for affected versions. 2. Upgrade to the patched version. 3. Clear Moodle caches after upgrade. 4. Test formula editor functionality.
🔧 Temporary Workarounds
Disable formula editor
allTemporarily disable the formula editor component to prevent exploitation
Navigate to Site administration > Plugins > Text editors > Atto HTML editor > Atto toolbar settings and remove 'equation' from toolbar config
Implement Content Security Policy
allAdd CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict user permissions to minimize who can create/edit content with formula editor fields
- Implement web application firewall rules to block common XSS payload patterns in POST/PUT requests
🔍 How to Verify
Check if Vulnerable:
Check Moodle version against security advisory. Test by attempting to inject basic XSS payload like <script>alert('test')</script> into formula editor fields.Check Version:
Navigate to Site administration > Notifications in Moodle admin panel to see current versionVerify Fix Applied:
After patching, attempt the same XSS injection test; payload should be properly sanitized and not execute. Check that formula editor still functions correctly for legitimate mathematical expressions.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns in formula editor submissions containing script tags or JavaScript functions
- Multiple failed login attempts following formula editor content creation
Network Indicators:
- Outbound connections to suspicious domains following formula editor page views
- Unusual POST requests to formula editor endpoints
SIEM Query:
source="moodle_logs" AND (message="*<script>*" OR message="*javascript:*") AND component="formula_editor"