Bug 2347398

Summary:	CVE-2025-26529 moodle: Stored XSS risk in admin live log [fedora-41]
Product:	[Fedora] Fedora	Reporter:	Robb Gatica <rgatica>
Component:	moodle	Assignee:	Gwyn Ciesla <gwync>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	high
Version:	41	CC:	gwync, igor.raits, sergio
Target Milestone:	---	Keywords:	Security, SecurityTracking
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	{"flaws": ["24262056-a518-4cc2-9bcd-a2ef83efa64c"]}
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2025-03-06 12:47:43 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2347363

Description Robb Gatica 2025-02-24 21:27:42 UTC

More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2347363

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Sergio Basto 2025-03-06 12:47:43 UTC

https://moodle.org/mod/forum/discuss.php?d=466145#p1871275

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

Severity/Risk: 	Serious
Versions affected: 	4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions
Versions fixed: 	4.5.2, 4.4.6, 4.3.10 and 4.1.16
Reported by: 	nightbloodz
CVE identifier: 	CVE-2025-26529
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145
Tracker issue: 	MDL-84145 Stored XSS risk in admin live log

Current versions: moodle-4.5.2-1.fc42, moodle-4.4.6-1.fc41 and moodle-4.3.10-1.fc40