CVE-2025-3635 in Moodle
Summary
by MITRE • 04/25/2025
A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/08/2025
This vulnerability resides within the Moodle learning management system where improper access controls have been identified that permit unauthenticated users to manipulate tour duplication functionality. The flaw stems from insufficient validation of user authentication status during tour creation operations, allowing malicious actors to exploit this weakness without requiring valid credentials. The vulnerability specifically impacts the tour management component of Moodle, which is designed to guide users through various interface elements and features. When users navigate to tour-related endpoints, the system fails to verify that the requester possesses legitimate authorization to perform duplication actions, creating a pathway for unauthorized modifications to tour configurations.
The technical implementation of this vulnerability demonstrates a classic cross-site request forgery weakness that operates outside standard authentication boundaries. Attackers can craft malicious requests that leverage the legitimate tour duplication mechanisms while bypassing normal login requirements. This occurs because the system does not enforce proper CSRF token validation or session verification before executing tour duplication operations. The flaw essentially allows any remote user to submit requests that duplicate existing tours, potentially leading to unauthorized modifications of user interface guidance elements. The vulnerability is particularly concerning because it affects core administrative functionality that should normally require authenticated access and appropriate privileges.
The operational impact of this vulnerability extends beyond simple tour manipulation, as it represents a significant escalation in unauthorized system access capabilities. An attacker could potentially abuse this flaw to create misleading tour content that could confuse legitimate users or serve as a vector for further attacks. The lack of authentication checks means that malicious actors could flood the system with duplicate tours, potentially causing performance degradation or creating confusion in user interface navigation. Additionally, since tours often contain instructional elements and system guidance, attackers could use this capability to introduce misleading information or create false pathways that might mislead users about system functionality. The vulnerability could also enable attackers to gather information about the system's tour structure and potentially identify other areas of the application that might share similar authentication bypass issues.
Mitigation strategies for this vulnerability should focus on implementing robust authentication checks and CSRF protection mechanisms throughout the tour management functionality. System administrators should ensure that all tour-related operations require proper session validation and authentication tokens before executing any duplication or modification actions. The implementation should follow established security practices including mandatory CSRF token validation for all state-changing operations and proper session management. Organizations using Moodle should also implement network-level protections such as web application firewalls that can detect and block suspicious requests targeting tour duplication endpoints. Additionally, regular security audits should be conducted to identify similar authentication bypass vulnerabilities in other components of the system. The vulnerability aligns with CWE-352 which specifically addresses cross-site request forgery weaknesses, and it maps to ATT&CK technique T1078 which covers valid accounts and privilege escalation through unauthorized access to system functions. Regular updates to Moodle should be prioritized to ensure that this vulnerability is addressed through official patches and that proper access controls are maintained for all administrative functions within the platform.