Security Advisory

CVE-2025-60511

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-10-21 00:00:00
Last updated 2025-10-21 18:35:59
Assigner mitre
State PUBLISHED

Description

Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another users block (e.g., administrator) and send queries that are executed with that blocks configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.