Description

Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.

INFO

Published Date :

2025-10-21T00:00:00.000Z

Last Modified :

2025-10-21T18:30:11.863Z

Source :

mitre

Researchers

Following researchers has claimed that they have found this vulnerability.

Onurcan Genç
Onurcan Genç

@onurcangnc
AFFECTED PRODUCTS

The following products are affected by CVE-2025-60507 vulnerability.

Vendors Products
Moodle
  • Moodle
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-60507.

URL Resource
https://github.com/onurcangnc/moodle_genai_plugin_xss cve-icon cve-icon
https://moodle.org/plugins/local_geniai cve-icon cve-icon
https://moodle.org/security/ cve-icon cve-icon
https://onurcangenc.com.tr/posts/moodle-genia%C4%B1-plugin-vulnerability-stored-reflected-xss-via-pdf-upload-and-chatbot-%C4%B1nput/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Complexity
Attack Vector
Availability Impact
Confidentiality Impact
Integrity Impact
Privileges Required
Scope
User Interaction