CVE-2025-3635

LOW severity · CVSS 3.5 · Cross-site request forgery (CSRF)

3.5CVSS LOW

Summary

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionRequired

Confidentiality impactNone

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Affected products we track (1)

Moodle

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://access.redhat.com/security/cve/CVE-2025-3635Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2359709