Immersive security researchers discovered critical vulnerabilities in Planet Technology network management and switch products, allowing full device control.…

Immersive security researchers discovered critical vulnerabilities in Planet Technology network management and switch products, allowing full device control. Learn about the flaws, affected models and the urgent need to apply Planet’s patches.

Cybersecurity firm Immersive has identified critical security weaknesses affecting network management tools and industrial switches manufactured by Planet Technology, a Taiwanese IP-based networking products manufacturer. According to their blog post, shared with Hackread.com, these issues can allow attackers to control all network devices managed by these vulnerable.

Immersive’s team, led by security researcher Kev Breen, discovered multiple vulnerabilities in the company’s industrial control systems. The team initiated an investigation after the company’s products were flagged as vulnerable by CISA in a security advisory in December 2024.

Researchers obtained firmware from the Planet Technology website, and compressed firmware files using the BIX format (a variation of GZIP) for easy extraction. Techniques like UART logging (the process of capturing and recording data transmitted and received through the Universal Asynchronous Receiver/Transmitter (UART) interface) and tools like Binwalk were used to verify and understand the reported issues.

During their research, apart from the vulnerabilities mentioned in CISA’s report, the team uncovered additional previously undisclosed critical flaws. These issues were detected by examining the internal software of Planet Technology’s network management systems (used to remotely oversee numerous Planet devices) and industrial switches (specifically models WGS-80HPT-V2 and WGS-4215-8T2S). Here’s a breakdown of the identified issues:

*   CVE-2025-46271 (Planet network management systems)
*   CVE-2025-46274 (Planet network management systems)
*   CVE-2025-46272 (WGS-80HPT-V2 and WGS-4215-8T2S industrial switches)
*   CVE-2025-46275 (WGS-80HPT-V2 and WGS-4215-8T2S industrial switches)
*   CVE-2025-46273 (Planet network management systems and all managed devices)

CVE-2025-46271 is a pre-authentication command injection flaw in network management systems (NMS) allowing complete control. CVE-2025-46274 involves hard-coded, remotely accessible Mongo database credentials in the NMS, also leading to full control. CVE-2025-46273 reveals hard-coded communication credentials between the NMS and managed devices, enabling remote interception and configuration changes.

For specific industrial switches, CVE-2025-46272 is a post-authentication command injection vulnerability granting root access, and CVE-2025-46275 is an authentication bypass allowing unauthorized configuration modifications and admin account creation. All these flaws pose a significant risk of complete system compromise for affected Planet Technology devices.

As per Immersive’s analysis, hackers could use these weaknesses to run their own commands on the devices and even bypass the login security on some switches. They also discovered that the network management system had hidden, default usernames and passwords (like “client:client” for MQTT and “planet:123456” for MongoDB) that anyone could use. This could allow attackers to see everything happening on the network and even change how the devices are set up.

Using online tools like Shodan and Censys, researchers found many internet-connected Planet Technology devices that could be at risk. Immersive shared their findings with CISA, who helped contact Planet Technology. The company has now released software updates (patches) to fix these problems. CISA is advising all users of these Planet Technology products to take steps to protect their networks as soon as possible.

Planet Technology Industrial Switch Flaws Risk Full Takeover – Patch Now

A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer puts systems at risk of full compromise. Learn how…

A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer puts systems at risk of full compromise. Learn how to check if your SAP Java systems are affected and the immediate steps to take.

A serious security vulnerability, identified as CVE-2025-31324, was discovered in SAP NetWeaver’s Visual Composer development server. This critical issue, scoring a perfect 10.0 in severity, stems from a missing check that should verify if a user has the correct permissions and is being actively exploited, reveals a report from Onapsis Threat Intelligence. 

Research reveals that the flaw is active on between 50% and 70% of existing SAP NetWeaver Application Server Java systems, even though it’s not automatically installed.

Reportedly, the vulnerability, first documented by ReliaQuest, exists in the “developmentserver” part of the SAP Visual Composer, a component of SAP NetWeaver 7.xx, designed to create business tools without writing code.

The problem occurs because the system doesn’t properly check if someone accessing the Metadata Uploader feature is actually allowed to do so. This lack of proper authentication and authorization allows unlogged users to access powerful functions.

On April 22nd, ReliaQuest observed suspicious activity on patched SAP NetWeaver servers, suggesting attackers might have been using a different, unknown vulnerability. On the same day, SAP acknowledged unusual files being found on SAP NetWeaver Java systems, as described in their knowledge base article SAP KBA 3593336. On April 24th, SAP released a FAQ document (SAP Note 3596125) confirming that files with extensions like ‘.jsp’, ‘.java’, or ‘.class’ found in specific folders like …\\irj\\root, …\\irj\\work, and …\\irj\\work\\sync are likely malicious. 

Finally, on April 24th, SAP officially announced CVE-2025-31324, clearly stating it was due to a “Missing Authorization check in SAP NetWeaver (Visual Composer development server)”. They confirmed that the root cause is a lack of proper permission checks, allowing unauthorized individuals to upload dangerous executable files and an out-of-band emergency NetWeaver update has been released.

This flaw, classified as a Missing Authorization issue (CWE-862) or Missing Authentication for Critical Function (CWE-306), poses a significant risk of system takeover if exploited, which is why it has earned the highest severity score.

It can be remotely exploited using standard web communication methods (HTTP/HTTPS). Security experts have observed that attackers are targeting a specific web address: /developmentserver/metadatauploader, by sending specially crafted requests and since no login or authentication is needed to carry out an attack, anyone, even without an account, could interact with the system’s vulnerable part and upload any file.

According to Onapsis’s blog post, malicious code files called webshells titled “helper.jsp” or “cache.jsp” are already being uploaded, allowing attackers to execute commands with high-level permissions as software administrators (<sid>adm) and obtaining full control over SAP resources.

> _“Threat actors have been observed uploading web shells to vulnerable systems. These webshells allow the threat actor to execute arbitrary commands in the system context, with the privileges of the adm Operating System user, giving them full access to all SAP Resources.”_
> 
> Juan Perez-Etchegoyen – CTO at Onapsis

SAP urges customers to promptly assess their risk by checking for Java systems, the presence and version of the VCFRAMEWORK component (especially if older than 7.5 or specifically 7.0 with a support package below 16), as the vulnerable component might not be present in basic Java stack or default Solution Manager installations. Implementing the official fix is the only solution to mitigate this risk.

Benjamin Harris, CEO of Attack Surface Management firm watchTowr, warned that unauthenticated attackers are actively exploiting a vulnerability in SAP NetWeaver to upload arbitrary files, leading to full system compromise.

“This isn’t theoretical, it’s happening now,” Harris said, noting that attackers are planting web shell backdoors to deepen their access. He urged immediate patching via SAP Security Note 3594142, emphasizing, “If you thought you had time, you don’t.” Harris added that watchTowr clients were alerted to exposures within 12 hours, thanks to the platform’s rapid detection capabilities.

SAP NetWeaver Flaw Scores 10.0 Severity as Hackers Deploy Web Shells

Plus: Cybercriminals stole a record-breaking fortune from US residents and businesses in 2024, and Google performs its final flip-flop in its yearslong quest to kill tracking cookies.

As the Trump administration’s aggressive immigration policy ramps up, people have started to seriously consider their privacy and security when crossing into the United States. That’s especially true when it comes to searches of travelers’ phones and other devices, which US Customs and Border Protection agents have broad authority to search. Fortunately, there are some steps you can take, such as deleting certain apps from your personal phone or using an alternative phone that’s set up just for traveling internationally.

Operatives with Elon Musk’s so-called Department of Government Efficiency (DOGE) have spent the first months of the Trump administration clawing their way into US government systems. It’s now starting to become clear exactly what those systems are and what kind of data on US residents they hold. WIRED this week detailed the 19 systems DOGE operatives have access to just at the Department of Health and Human Services.

Pope Francis died on Monday at age 88. The passing of the supreme pontiff sets in motion a conclave, the secretive process used to select the new pope. To protect the conclave’s integrity and try to prevent leaks, a wide range of security measures will be put in place, from privacy film on windows at the Vatican to signal jammers and sweeps for hidden microphones.

Google recently announced the initial rollout of end-to-end encrypted email for Google Workspace accounts, which is good news for the privacy of enterprise-level users. When a Workspace user emails a non-Workspace account, the recipient gets an invitation to create a guest account so they can read the email. Unfortunately, security experts say, this will likely create new opportunities for phishing attacks, as scammers try to bait people with fake invitations.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

SignalGate is the scandal that just won’t die—at least not if you’re US secretary of defense Pete Hegseth. On Wednesday, The Washington Post reported that Hegseth had installed Signal on a “second computer in his office” so that he could “use Signal in a classified space, where his cellphone and other personal electronics are not permitted, and communicate with ease with anyone.”

The Associated Press on Thursday added to the picture of Hegseth’s reported Signal use, revealing that Hegseth got a second internet line installed that connected directly to the public internet rather than through the Pentagon’s secured connection, according to sources who spoke with the AP. Hegseth allegedly did this so he could use that second computer with Signal installed. Then on Friday, The New York Times found that the phone number associated with Hegseth’s Signal account—the one he used in that infamous group chat—is easily discoverable online, potentially opening him up to targeted cyberattacks by hostile nations.

**Cybercriminals Stole a Record-Breaking $16.6 Billion From US Entities in 2024**

Despite a steady flow of arrests and takedowns of online scammers, cybercriminals are operating at unprecedented levels and making more money than ever. Two reports released this week reveal the stark scale of online criminality. Last year in the United States, businesses and individuals lost $16.6 billion to online crimes, according to the FBI’s Internet Crime Complaint Center—that’s the highest figure ever reported and a leap of 33 percent compared to 2023. In 2024, there were 859,532 complaints about potential online crimes, with the FBI saying phishing and spoofing complaints account for 193,000 of them, followed by extortion with 86,000 complaints. Investment scams, which often involve cryptocurrency, made up more than $6 billion of the total losses, with business email compromise scams leading to losses of $2.7 billion.

Around the same time, the United Nations Office on Drugs and Crime highlighted that giant scam compounds in Southeast Asia—where human trafficking victims are forced to work scamming people—are generating $40 billion in profits per year and keep on growing. These industrial-scale scam organizations, which are often linked to Chinese criminals, heavily use investment scams (sometimes called pig-butchering) to con people out of their life savings and are expanding outside of the region. “It spreads like a cancer,” Benedikt Hofmann of the UNODC said in a statement.

**Google Chrome Won’t Ditch Creepy Tracking Cookies After All**

Back in 2020, Google announced its Chrome browser would stop using third-party cookies, which track people around the web, and would move to a less creepy way of powering its advertising businesses. Web browsers such as Safari, Firefox, and Brave ditched cookies years before Google made the announcement. But this week, after countless U-turns, failed efforts to develop alternatives, and criticism that proposals to replace cookies would favor Google, the company announced it will, in fact, keep the trackers in Chrome.

“We’ve made the decision to maintain our current approach to offering users third-party cookie choice in Chrome,” wrote Anthony Chavez, the Google VP in charge of its Privacy Sandbox efforts, in a blog post. “As we’ve engaged with the ecosystem, including publishers, developers, regulators, and the ads industry, it remains clear that there are divergent perspectives on making changes that could impact the availability of third-party cookies,” Chavez wrote. While the US government is proposing that Google sell off Chrome as part of its antitrust case against the company, it’s still possible to turn off third-party cookies or use a privacy-friendly browser instead.

Pete Hegseth’s Signal Scandal Spirals Out of Control

Enterprises using Commvault Innovation Release are urged to patch immediately against CVE-2025-34028. This critical flaw allows attackers to…

Enterprises using Commvault Innovation Release are urged to patch immediately against CVE-2025-34028. This critical flaw allows attackers to run code remotely and gain full control.

A severe security vulnerability has been discovered in the Commvault Command Center, a widely adopted solution for enterprise backup and data management. This flaw, tracked as CVE-2025-34028 and assigned a critical severity score of 9.0 out of 10, could allow remote attackers to execute any code they desire on vulnerable Commvault installations without needing to log in.

The dangerous weakness was discovered and responsibly reported on April 7, 2025, by Sonny Macdonald, a researcher with watchTowr Labs. Their analysis revealed that the vulnerability lies within a specific web interface component named “deployWebpackage.do.”

This endpoint is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack due to a lack of proper validation on the external servers the Commvault system is permitted to interact with.

Commvault itself acknowledged the issue in a security advisory released on April 17, 2025, stating that this flaw “could lead to a complete compromise of the Command Center environment,” potentially exposing sensitive data and disrupting critical operations.

However, the SSRF vulnerability is just the starting point to achieving full code execution. Research revealed that attackers can further exploit this by sending a specially crafted ZIP archive containing a malicious “.JSP” file, tricking the Commvault server into fetching it from a server controlled by the attacker. The contents of this ZIP are then extracted to a temporary directory, a location the attacker can influence.

By cleverly manipulating the “servicePack” parameter in subsequent requests, the attacker can scan the system’s directories, moving their malicious “.JSP" file into a publicly accessible location, such as “../../Reports/MetricsUpload/shell.” Finally, by triggering the SSRF vulnerability again, the attacker can execute their “.JSP” file from this accessible location, effectively running arbitrary code on the Commvault system.

However, in this case, the ZIP file is not read in a typical way. Instead, it is read from a “multipart request” before the vulnerable part of the software processes. This could allow hackers to bypass security measures that might block normal web requests.

WatchTowr Labs reported the security issue to Commvault, which quickly addressed it with a patch. The patch was released on April 10, 2025, and the issue was later disclosed on April 17, 2025.

Commvault confirmed that the problem only affected the “Innovation Release” software version 11.38.0 to 11.38.19 for Linux and Windows computers, therefore, the update to version 11.38.20 or 11.38.25 will resolve the issue. watchTowr Labs has also created a “Detection Artefact Generator” to help administrators identify systems exposed to CVE-2025-34028.

This research highlights that backup systems are becoming high-value targets for cyberattacks. These systems are crucial for restoring normalcy after an attack, and if they are controlled, they pose a significant threat primarily because these systems often contain secret usernames and passwords for crucial company computer parts. The severity of the flaw emphasises the need for swift security updates for data protection and backup infrastructure to ensure optimal protection from such attacks.  

Agnidipta Sarkar, VP CISO Advisory, ColorTokens, commented on the latest development, stating, This CVSS 10 flaw allows unauthenticated remote code execution, risking full compromise of Commvault’s Command Center. Immediate, sustained mitigation is essential. If full network shutdown isn’t feasible, tools like Xshield Gatekeeper can quickly isolate critical systems. Without action, the threat of ransomware and data loss is severe.

Critical Commvault Flaw Allows Full System Takeover – Update NOW

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-34g7-pg9j-pxgp: Moodle allows IDOR when accessing the cohorts report

A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-m8qh-hx4c-h9hr: Moodle has a CSRF risk in Brickfield tool's analysis request action

A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3636

**Moodle allows IDOR in RSS block, which allows access to additional RSS feeds**

Moderate severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-chmf-m33p-ph8m: Moodle allows IDOR in RSS block, which allows access to additional RSS feeds

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3641

**Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository**

High severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-c8v6-vxhf-wcrr: Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3642

**Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository**

High severity GitHub Reviewed Published Apr 25, 2025 to the GitHub Advisory Database • Updated Apr 25, 2025

**Package**

composer moodle/moodle (Composer)

**Affected versions**

< 4.1.18

\>= 4.3.0-beta, < 4.3.12

\>= 4.4.0-beta, < 4.4.8

\>= 4.5.0-beta, < 4.5.4

**Patched versions**

4.1.18

4.3.12

4.4.8

4.5.4

**Description**

Published to the GitHub Advisory Database

Apr 25, 2025

Last updated

Apr 25, 2025

**EPSS score**

GHSA-m367-445c-2xqr: Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository

A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.

Tag

#auth