CVE-2025-3637

LOW 3.1

Moodle: csrf token exposure via url in moodle mod_data module

CVSS Score

3.1

EPSS Score

0.0%

EPSS Percentile

0th

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.

CWE	CWE-598
Published	Apr 25, 2025
Last Updated	Apr 25, 2025

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new low vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.moodle.org: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65356 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-3637 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2359727

Credits

Red Hat would like to thank Simon Reinhart for reporting this issue.