プラットフォーム
php
コンポーネント
moodle/moodle
修正版
4.5.4
4.4.8
4.3.12
4.1.18
4.1.18
CVE-2025-3635 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Moodle. This flaw allows unauthenticated attackers to duplicate existing tours within the Moodle platform, potentially leading to unauthorized content modification or disruption. The vulnerability affects Moodle versions up to and including 4.1.9. A fix is available in version 4.1.18.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to create unauthorized copies of existing tours. Tours are often used to guide new users through Moodle's features or provide structured learning paths. An attacker could leverage this to create misleading or malicious tours, potentially confusing users or disrupting the learning experience. While the impact is considered LOW due to the lack of direct data compromise, the potential for disruption and reputational damage should not be underestimated. The duplication could also be used to create a large number of tours, potentially impacting Moodle's performance.
CVE-2025-3635 was published on April 25, 2025. The vulnerability's CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. There are currently no publicly known Proof-of-Concept (POC) exploits. It is not listed on KEV or EPSS, suggesting a low level of active exploitation. Monitor security advisories and community forums for any updates regarding exploitation attempts.
エクスプロイト状況
EPSS
0.12% (31% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation for CVE-2025-3635 is to upgrade Moodle to version 4.1.18 or later. If upgrading immediately is not possible, consider implementing a temporary workaround by enabling CSRF protection for tour duplication functionality. This might involve custom code or plugins, depending on Moodle's architecture and available extensions. Review existing tour configurations and monitor for any unexpected duplication activity. Consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the tour duplication endpoint.
Moodle を利用可能な最新バージョンにアップデートしてください。バージョン 4.5.4, 4.4.8, 4.3.12, および 4.1.18 は、ツアーの不正な複製を可能にする CSRF 脆弱性を修正しています。アップデートにより、この脆弱性の悪用を防ぐことができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-3635 is a Cross-Site Request Forgery (CSRF) vulnerability in Moodle versions up to 4.1.9, allowing unauthorized tour duplication without login.
You are affected if you are running Moodle versions 4.1.9 or earlier. Upgrade to 4.1.18 or later to resolve the vulnerability.
Upgrade Moodle to version 4.1.18 or later. As a temporary workaround, consider enabling CSRF protection for tour duplication functionality.
Currently, there are no publicly known Proof-of-Concept exploits or reports of active exploitation, but ongoing monitoring is recommended.
Refer to the official Moodle security advisory at [https://security.moodle.org/ - replace with actual URL when available].