CVE-2025-26529
Published: 24 February 2025
Summary
CVE-2025-26529 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Moodle Moodle. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of sanitization in description information displayed in the site administration live log, preventing stored XSS execution.
Validates log inputs to block malicious script injection before storage, mitigating the root cause of the stored XSS vulnerability.
Ensures timely patching of the specific sanitization flaw as provided in the Moodle commit for MDL-84145.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing Moodle web app enables remote exploitation without auth (T1190) and arbitrary JavaScript execution in admin browser context (T1059.007).
NVD Description
Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.
Deeper analysisAI
CVE-2025-26529 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Moodle learning management system. The flaw occurs in the site administration live log, where description information displayed to administrators lacked sufficient sanitization, enabling a stored XSS risk. It carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-02-24.
Attackers can exploit this vulnerability remotely over the network without requiring authentication privileges (PR:N), though it demands high attack complexity (AC:H) and user interaction (UI:R), such as an administrator viewing the affected log. Successful exploitation changes scope (S:C) and can lead to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing attackers to execute arbitrary scripts in the victim's browser context.
Mitigation is provided through a patch in the Moodle Git repository, searchable under commit details for MDL-84145 at http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145. Additional discussion and context are available in the Moodle forum thread at https://moodle.org/mod/forum/discuss.php?d=466145.
Details
- CWE(s)