A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.
Advisories
Source ID Title
EUVD EUVD EUVD-2025-12526 A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.
Github GHSA Github GHSA GHSA-88xj-97gf-7wpq Moodle has a CSRF risk in user tours manager that allows tour duplication
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 24 Jun 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Moodle
Moodle moodle
CPEs cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Vendors & Products Moodle
Moodle moodle

Fri, 25 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 25 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.
Title Moodle: csrf risk in moodle user tours manager allows tour duplication
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: fedora

Published:

Updated: 2025-04-25T16:00:54.948Z

Reserved: 2025-04-15T10:06:48.633Z

Link: CVE-2025-3635

cve-icon Vulnrichment

Updated: 2025-04-25T15:43:12.516Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-25T15:15:37.230

Modified: 2025-06-24T16:08:36.127

Link: CVE-2025-3635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-06-24T09:44:20Z