CVE-2025-67850 is a Cross-Site Scripting (XSS) vulnerability identified in the Moodle learning management system, specifically affecting versions 4.1.0, 4.4.0, 4.5.0, 5.0.0, and 5.1.0. The vulnerability stems from insufficient sanitization and neutralization of user-supplied input within the formula editor's arithmetic expression fields. Attackers with authenticated access can inject malicious JavaScript code into these fields. When other users view the compromised expressions, the injected scripts execute in their browsers under the context of the Moodle site, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or exfiltrate sensitive data. The CVSS v3.1 score of 7.3 reflects a high severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated user), and user interaction to trigger the payload. The vulnerability impacts confidentiality and integrity but does not affect availability. No public exploits have been reported yet, but the presence of this flaw in widely deployed Moodle versions makes it a significant concern for educational institutions and organizations relying on Moodle for e-learning. The flaw highlights the importance of robust input validation and output encoding in web applications, especially in user-generated content areas.

The impact of CVE-2025-67850 is primarily on the confidentiality and integrity of user data within Moodle environments. Successful exploitation could allow attackers to hijack user sessions, steal sensitive information such as personal data or grades, and perform unauthorized actions on behalf of legitimate users. This could lead to data breaches, loss of trust, and potential compliance violations for organizations handling educational data. Since Moodle is widely used by educational institutions globally, the vulnerability could disrupt learning activities and compromise the privacy of students and staff. Although availability is not directly affected, the indirect consequences of data compromise and unauthorized actions could lead to operational disruptions. The requirement for attacker authentication and user interaction somewhat limits the attack scope but does not eliminate the risk, especially in environments with many users and collaborative content creation. The lack of known exploits in the wild currently provides a window for remediation before widespread attacks occur.

To mitigate CVE-2025-67850, organizations should prioritize updating Moodle to a patched version once available from the vendor. In the absence of immediate patches, administrators can implement strict input validation and output encoding on the formula editor's arithmetic expression fields to neutralize malicious scripts. Restricting the ability to input arithmetic expressions to trusted users or roles can reduce exposure. Additionally, enabling Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting the sources from which scripts can be loaded and executed. Regularly auditing user-generated content for suspicious scripts and educating users about the risks of interacting with untrusted content can further reduce exploitation chances. Monitoring logs for unusual activities related to the formula editor and user sessions can help detect attempted attacks. Finally, applying the principle of least privilege to user roles in Moodle minimizes the number of users who can inject potentially malicious content.