Skip to content

Commit 1eef6f4

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-6mmv-f6c6-v6q8 GHSA-qfh6-h7j6-fvjv GHSA-6mmv-f6c6-v6q8 GHSA-qfh6-h7j6-fvjv
1 parent b4a87d6 commit 1eef6f4

4 files changed

Lines changed: 306 additions & 84 deletions

File tree

advisories/github-reviewed/2026/02/GHSA-6mmv-f6c6-v6q8/GHSA-6mmv-f6c6-v6q8.json

Lines changed: 149 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,149 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6mmv-f6c6-v6q8",
4+
"modified": "2026-02-03T19:05:25Z",
5+
"published": "2026-02-03T12:30:28Z",
6+
"aliases": [
7+
"CVE-2025-67850"
8+
],
9+
"summary": "Moodle vulnerable to Cross-site Scripting",
10+
"details": "A flaw was found in Moodle. This vulnerability, known as Cross-site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "moodle/moodle"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.1.22"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "moodle/moodle"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.4.0-beta"
48+
},
49+
{
50+
"fixed": "4.4.12"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "moodle/moodle"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.5.0-beta"
67+
},
68+
{
69+
"fixed": "4.5.8"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Packagist",
78+
"name": "moodle/moodle"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "5.0.0-beta"
86+
},
87+
{
88+
"fixed": "5.0.4"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Packagist",
97+
"name": "moodle/moodle"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "5.1.0-beta"
105+
},
106+
{
107+
"fixed": "5.1.1"
108+
}
109+
]
110+
}
111+
]
112+
}
113+
],
114+
"references": [
115+
{
116+
"type": "ADVISORY",
117+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67850"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/moodle/moodle/commit/c85f153068a717a3b28bc122e75154bac99e67e1"
122+
},
123+
{
124+
"type": "WEB",
125+
"url": "https://access.redhat.com/security/cve/CVE-2025-67850"
126+
},
127+
{
128+
"type": "WEB",
129+
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423838"
130+
},
131+
{
132+
"type": "PACKAGE",
133+
"url": "https://github.com/moodle/moodle"
134+
},
135+
{
136+
"type": "WEB",
137+
"url": "https://moodle.org/mod/forum/discuss.php?d=471300"
138+
}
139+
],
140+
"database_specific": {
141+
"cwe_ids": [
142+
"CWE-79"
143+
],
144+
"severity": "HIGH",
145+
"github_reviewed": true,
146+
"github_reviewed_at": "2026-02-03T19:05:25Z",
147+
"nvd_published_at": "2026-02-03T11:15:55Z"
148+
}
149+
}

advisories/github-reviewed/2026/02/GHSA-qfh6-h7j6-fvjv/GHSA-qfh6-h7j6-fvjv.json

Lines changed: 157 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,157 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qfh6-h7j6-fvjv",
4+
"modified": "2026-02-03T19:06:25Z",
5+
"published": "2026-02-03T12:30:28Z",
6+
"aliases": [
7+
"CVE-2025-67851"
8+
],
9+
"summary": "Moodle formula injection vulnerability",
10+
"details": "A flaw was found in Moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "moodle/moodle"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.1.22"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "moodle/moodle"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.4.0-beta"
48+
},
49+
{
50+
"fixed": "4.4.12"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "moodle/moodle"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.5.0-beta"
67+
},
68+
{
69+
"fixed": "4.5.8"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Packagist",
78+
"name": "moodle/moodle"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "5.0.0-beta"
86+
},
87+
{
88+
"fixed": "5.0.4"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Packagist",
97+
"name": "moodle/moodle"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "5.1.0-beta"
105+
},
106+
{
107+
"fixed": "5.1.1"
108+
}
109+
]
110+
}
111+
]
112+
}
113+
],
114+
"references": [
115+
{
116+
"type": "ADVISORY",
117+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67851"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/moodle/moodle/commit/29820c5ff4ef381c7a743091ec5c68ac82903b22"
122+
},
123+
{
124+
"type": "WEB",
125+
"url": "https://github.com/moodle/moodle/commit/aa66bacd0783cbc33528fba9c2adca1f685a59bd"
126+
},
127+
{
128+
"type": "WEB",
129+
"url": "https://github.com/moodle/moodle/commit/dc57ccc491a2a04032445a3ee92fd0d335ebd746"
130+
},
131+
{
132+
"type": "WEB",
133+
"url": "https://access.redhat.com/security/cve/CVE-2025-67851"
134+
},
135+
{
136+
"type": "WEB",
137+
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423841"
138+
},
139+
{
140+
"type": "PACKAGE",
141+
"url": "https://github.com/moodle/moodle"
142+
},
143+
{
144+
"type": "WEB",
145+
"url": "https://moodle.org/mod/forum/discuss.php?d=471301"
146+
}
147+
],
148+
"database_specific": {
149+
"cwe_ids": [
150+
"CWE-1236"
151+
],
152+
"severity": "MODERATE",
153+
"github_reviewed": true,
154+
"github_reviewed_at": "2026-02-03T19:06:25Z",
155+
"nvd_published_at": "2026-02-03T11:15:55Z"
156+
}
157+
}

advisories/unreviewed/2026/02/GHSA-6mmv-f6c6-v6q8/GHSA-6mmv-f6c6-v6q8.json

Lines changed: 0 additions & 40 deletions
This file was deleted.

advisories/unreviewed/2026/02/GHSA-qfh6-h7j6-fvjv/GHSA-qfh6-h7j6-fvjv.json

Lines changed: 0 additions & 44 deletions
This file was deleted.

0 commit comments

Comments
 (0)