Search for vulnerabilities
Vulnerability details: VCID-a38w-c7bh-jye8
Vulnerability ID VCID-a38w-c7bh-jye8
Aliases CVE-2025-3643
GHSA-hxgg-4qww-85ph
Summary Moodle has reflected Cross-site Scripting risk in policy tool A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 5.4 https://access.redhat.com/security/cve/CVE-2025-3643
generic_textual MODERATE https://access.redhat.com/security/cve/CVE-2025-3643
ssvc Track https://access.redhat.com/security/cve/CVE-2025-3643
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3643
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2025-3643
cvssv3.1 5.4 https://bugzilla.redhat.com/show_bug.cgi?id=2359742
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=2359742
ssvc Track https://bugzilla.redhat.com/show_bug.cgi?id=2359742
cvssv3.1 5.4 https://github.com/moodle/moodle
generic_textual MODERATE https://github.com/moodle/moodle
cvssv3.1 5.4 https://github.com/moodle/moodle/commit/ff9bbd6d9e7d6267ce85e6c9afbeb19581f2a85f
generic_textual MODERATE https://github.com/moodle/moodle/commit/ff9bbd6d9e7d6267ce85e6c9afbeb19581f2a85f
cvssv3.1 5.4 https://moodle.org/mod/forum/discuss.php?d=467604
generic_textual MODERATE https://moodle.org/mod/forum/discuss.php?d=467604
ssvc Track https://moodle.org/mod/forum/discuss.php?d=467604
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2025-3643
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-3643
Reference id Reference type URL
https://access.redhat.com/security/cve/CVE-2025-3643
https://api.first.org/data/v1/epss?cve=CVE-2025-3643
https://bugzilla.redhat.com/show_bug.cgi?id=2359742
https://github.com/moodle/moodle
https://github.com/moodle/moodle/commit/ff9bbd6d9e7d6267ce85e6c9afbeb19581f2a85f
https://moodle.org/mod/forum/discuss.php?d=467604
https://nvd.nist.gov/vuln/detail/CVE-2025-3643
GHSA-hxgg-4qww-85ph https://github.com/advisories/GHSA-hxgg-4qww-85ph
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/security/cve/CVE-2025-3643
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:42:55Z/ Found at https://access.redhat.com/security/cve/CVE-2025-3643
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2359742
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:42:55Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2359742
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/moodle/moodle
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/moodle/moodle/commit/ff9bbd6d9e7d6267ce85e6c9afbeb19581f2a85f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://moodle.org/mod/forum/discuss.php?d=467604
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:42:55Z/ Found at https://moodle.org/mod/forum/discuss.php?d=467604
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-3643
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.07584
EPSS Score 0.00032
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:12:11.287432+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-hxgg-4qww-85ph/GHSA-hxgg-4qww-85ph.json 36.1.3