CVE Catalog

CVE-2025-60511

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile - higher than 13% of all known CVEs

Summary

The Moodle OpenAI Chat Block plugin version 3.0.1 (2025021700) suffers from an IDOR vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries executed with that block's configuration.

Risk Assessment

The risk includes exposure of administrator-only Source of Truth entries, alteration of model behavior, and potential misuse of API resources, which could lead to data leakage and unauthorized actions.

Recommendation

Immediately update the OpenAI Chat Block plugin to the latest version that fixes this vulnerability and implement permission validation for the blockId parameter.

Original NVD description (English source)

Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS