CVE-2025-67855 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Moodle platform, versions 4.1.0 through 5.1.0. The vulnerability is located in the policy tool return URL, where insufficient input sanitization allows an attacker to inject malicious JavaScript code via specially crafted URL parameters. When a user clicks on such a malicious link, the injected script executes within the context of the user's browser session, potentially leading to theft of session cookies, user impersonation, or disclosure of sensitive information accessible through the browser. This vulnerability does not require any authentication and can be exploited remotely, but it does require user interaction (clicking a link). The CVSS 3.1 base score of 5.4 reflects a medium severity, considering the attack vector is network-based, with low attack complexity, no privileges required, but requiring user interaction. The vulnerability affects multiple recent Moodle versions, which are widely used in educational institutions globally. Although no known exploits have been reported in the wild, the presence of this vulnerability poses a risk to confidentiality and integrity of user data within affected Moodle installations. The lack of patches or official mitigation links in the provided data suggests that organizations should monitor vendor advisories closely and implement interim mitigations.

The primary impact of CVE-2025-67855 is on the confidentiality and integrity of user data within affected Moodle environments. Successful exploitation allows attackers to execute arbitrary scripts in the context of a victim's browser session, potentially leading to session hijacking, theft of authentication tokens, or unauthorized actions performed on behalf of the user. This can result in unauthorized access to sensitive educational records, personal information, or administrative functions. While the vulnerability does not directly affect system availability, the compromise of user accounts can lead to broader security incidents, including privilege escalation or lateral movement if combined with other vulnerabilities. Educational institutions and organizations relying on Moodle for e-learning are particularly at risk, as attackers may target students, educators, or administrators. The requirement for user interaction limits the scope somewhat but does not eliminate risk, especially in phishing-prone environments. The medium CVSS score reflects a moderate risk, but the widespread use of Moodle and the sensitivity of educational data elevate the potential impact.

Organizations should immediately verify if their Moodle installations are running affected versions (4.1.0 through 5.1.0) and prioritize upgrading to patched versions once available. In the absence of official patches, administrators should implement input validation and output encoding on URL parameters, especially those used in the policy tool return URL, to neutralize malicious scripts. Employing a Content Security Policy (CSP) can help restrict the execution of unauthorized scripts in browsers. Additionally, educating users about the risks of clicking untrusted links and implementing web application firewalls (WAFs) with rules to detect and block reflected XSS payloads can reduce exploitation likelihood. Monitoring logs for suspicious URL parameters and anomalous user activity can aid in early detection. Regular security assessments and penetration testing focused on web application vulnerabilities should be conducted. Finally, ensure that session cookies are flagged as HttpOnly and Secure to mitigate session theft risks.