CVE-2025-60507 is a cross-site scripting (XSS) vulnerability identified in the Moodle GeniAI plugin (local_geniai) version 2.3.6. The vulnerability arises because an authenticated user with the Teacher role can upload a PDF file that contains embedded JavaScript code. The plugin then generates a direct HTML link to this uploaded file without properly sanitizing or encoding the link output. When other users, including Students or Administrators, click on this link, the embedded JavaScript executes within their browsers. This execution context allows the attacker to perform actions such as stealing session cookies, performing actions on behalf of the victim, or injecting malicious content. The vulnerability requires the attacker to have at least Teacher-level authentication and relies on user interaction (clicking the malicious link). The CVSS v3.1 score is 8.9, indicating high severity, with a vector showing low attack complexity, network attack vector, low privileges required, and user interaction necessary. The vulnerability affects confidentiality and integrity and has a scope change due to the potential for privilege escalation or lateral movement within the Moodle environment. No patches or known exploits are currently available, but the risk is significant given Moodle's widespread use in educational institutions globally.

For European organizations, particularly educational institutions and universities that widely deploy Moodle as their learning management system, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive educational data, including student records, grades, and personal information. The ability to execute arbitrary scripts in the browsers of administrators or students could facilitate session hijacking, credential theft, or the spread of malware within the network. This could disrupt educational operations, damage institutional reputation, and lead to regulatory non-compliance under GDPR due to data breaches. The requirement for authenticated access limits the attack surface but does not eliminate risk, as teachers are legitimate users. The vulnerability could also be leveraged for targeted attacks or social engineering campaigns within the academic community. The lack of available patches increases the urgency for organizations to implement compensating controls.

1. Immediately restrict upload permissions to trusted users only and review the roles allowed to upload files, especially PDFs. 2. Implement input validation and output encoding on the plugin to sanitize any links generated to uploaded files, preventing execution of embedded scripts. 3. Disable or limit the use of the GeniAI plugin until a patch or update is available. 4. Educate teachers and users about the risks of uploading untrusted files and clicking on suspicious links within the Moodle environment. 5. Monitor Moodle logs for unusual upload activity or access patterns to detect potential exploitation attempts. 6. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 7. Regularly update Moodle and its plugins to the latest versions once patches addressing this vulnerability are released. 8. Consider network segmentation and access controls to limit the spread of any compromise resulting from exploitation.