CVE-2025-26529 Overview
CVE-2025-26529 is a stored Cross-Site Scripting (XSS) vulnerability affecting Moodle, the popular open-source learning management system. The vulnerability exists in the site administration live log functionality where description information is displayed without adequate sanitization. This allows attackers to inject malicious scripts that are stored on the server and executed when administrators view the affected log entries.
Critical Impact
Attackers can inject persistent malicious JavaScript code into the site administration live log, potentially compromising administrator sessions, stealing credentials, or performing unauthorized actions on behalf of privileged users.
Affected Products
- Moodle LMS (multiple versions affected)
- Moodle site administration live log component
- Systems running vulnerable Moodle installations
Discovery Timeline
- 2025-02-24 - CVE CVE-2025-26529 published to NVD
- 2025-08-08 - Last updated in NVD database
Technical Details for CVE-2025-26529
Vulnerability Analysis
This stored XSS vulnerability stems from insufficient input sanitization in the Moodle site administration live log display functionality. When description information is rendered in the live log interface, the application fails to properly encode or sanitize user-controlled content before displaying it in the HTML context. This allows attackers to craft malicious payloads containing JavaScript code that gets stored in the system and subsequently executed in the browsers of users who view the affected log entries.
The vulnerability is particularly concerning in educational environments where Moodle is widely deployed, as successful exploitation could lead to session hijacking of administrator accounts, defacement of the learning platform, or theft of sensitive user data. The changed scope characteristic indicates that the vulnerability can affect resources beyond its original security context.
Root Cause
The root cause is insufficient output encoding and input sanitization (CWE-79) in the live log display component. When user-supplied description data is stored and later rendered in the administration interface, the application does not apply proper HTML entity encoding or content security measures, allowing script tags and JavaScript event handlers to be interpreted and executed by the browser.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability by submitting specially crafted input containing malicious JavaScript code that gets stored in the system. When an administrator or authorized user views the site administration live log, the malicious script executes in their browser context. This could be used to steal session cookies, redirect users to phishing pages, modify page content, or perform actions on behalf of the victim user.
The vulnerability does not require authentication to inject the malicious payload in certain scenarios, though the impact primarily affects authenticated administrators who view the compromised log entries. For detailed technical information about the fix, refer to the Moodle Commit Reference MDL-84145.
Detection Methods for CVE-2025-26529
Indicators of Compromise
- Unusual JavaScript code or HTML tags present in live log description fields
- Suspicious <script> tags, onerror, onload, or other event handlers in log entries
- Reports of unexpected browser behavior when administrators access the live log
- Unauthorized session activity or credential theft incidents traced to log viewing
Detection Strategies
- Implement web application firewall (WAF) rules to detect XSS payloads in incoming requests
- Monitor Moodle database tables for suspicious content containing script tags or JavaScript event handlers
- Review HTTP request logs for payloads containing encoded or obfuscated XSS vectors
- Deploy browser-based XSS detection extensions for administrative users during incident response
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture blocked inline script execution attempts
- Configure logging for Moodle administrative interface access patterns
- Monitor for anomalous session behavior following administrator access to live logs
- Implement alerting for any database entries containing HTML/JavaScript in description fields
How to Mitigate CVE-2025-26529
Immediate Actions Required
- Update Moodle to the latest patched version that addresses MDL-84145
- Review existing live log entries for signs of stored XSS payloads
- Implement Content Security Policy headers to mitigate the impact of any existing stored payloads
- Advise administrators to be cautious when viewing live logs until patching is complete
Patch Information
Moodle has released patches to address this vulnerability. The fix involves adding proper sanitization to description information displayed in the site administration live log. Administrators should apply the security update as soon as possible. For patch details, refer to the Moodle Commit Reference MDL-84145 and the Moodle Forum Discussion Thread for the official security advisory.
Workarounds
- Restrict access to the site administration live log feature to essential personnel only
- Implement a Web Application Firewall (WAF) with XSS filtering rules
- Deploy strict Content Security Policy headers to prevent inline script execution
- Consider temporarily disabling the live log feature until patches can be applied
# Example: Apache Content Security Policy header configuration
# Add to your Moodle virtual host or .htaccess file
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
# Example: Nginx Content Security Policy header configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
