4.5.4
4.4.8
4.3.12
4.1.18
4.1.18
CVE-2025-3635 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Moodle. This flaw allows unauthenticated attackers to duplicate existing tours within the Moodle platform, potentially leading to unauthorized content modification or disruption. The vulnerability affects Moodle versions up to and including 4.1.9. A fix is available in version 4.1.18.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to create unauthorized copies of existing tours. Tours are often used to guide new users through Moodle's features or provide structured learning paths. An attacker could leverage this to create misleading or malicious tours, potentially confusing users or disrupting the learning experience. While the impact is considered LOW due to the lack of direct data compromise, the potential for disruption and reputational damage should not be underestimated. The duplication could also be used to create a large number of tours, potentially impacting Moodle's performance.
CVE-2025-3635 was published on April 25, 2025. The vulnerability's CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. There are currently no publicly known Proof-of-Concept (POC) exploits. It is not listed on KEV or EPSS, suggesting a low level of active exploitation. Monitor security advisories and community forums for any updates regarding exploitation attempts.
漏洞利用状态
EPSS
0.12% (31% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2025-3635 is to upgrade Moodle to version 4.1.18 or later. If upgrading immediately is not possible, consider implementing a temporary workaround by enabling CSRF protection for tour duplication functionality. This might involve custom code or plugins, depending on Moodle's architecture and available extensions. Review existing tour configurations and monitor for any unexpected duplication activity. Consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the tour duplication endpoint.
升级到 Moodle 可用的最新版本。版本 4.5.4、4.4.8、4.3.12 和 4.1.18 修复了允许未经授权导览复制的 CSRF 漏洞。升级可以防止此漏洞被利用。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-3635 is a Cross-Site Request Forgery (CSRF) vulnerability in Moodle versions up to 4.1.9, allowing unauthorized tour duplication without login.
You are affected if you are running Moodle versions 4.1.9 or earlier. Upgrade to 4.1.18 or later to resolve the vulnerability.
Upgrade Moodle to version 4.1.18 or later. As a temporary workaround, consider enabling CSRF protection for tour duplication functionality.
Currently, there are no publicly known Proof-of-Concept exploits or reports of active exploitation, but ongoing monitoring is recommended.
Refer to the official Moodle security advisory at [https://security.moodle.org/ - replace with actual URL when available].