CVE-2025-60506 | Stored Cross-Site Scripting (XSS) in Moodle PDF Annotator plugin (v1.5 release 9)
• Cybersecurity, responsibledisclosure, Cybersecurity, Penetration Testing,
Summary
- Vulnerability: Stored Cross-Site Scripting (XSS) in Moodle PDF Annotator plugin (
mod_pdfannotator) — Public Comments rendering. - CVE: CVE-2025-60506 (assigned)
- Discoverer: Onurcan Genç — Independent Security Researcher
- Tested environment: Bitnami Docker image for Moodle 4.x
- Plugin:
mod_pdfannotatorv1.5 (release 9, build2025090300) - Browser used during testing: Chrome (headless / visible)
Vulnerability Summary
The Public Comments feature in the PDF Annotator plugin fails to properly sanitize user-supplied input before rendering it inside the PDF viewer’s comment panel. A low-privileged authenticated user (e.g., Student) can inject HTML/JavaScript into the Public Comments field; that content is stored and later executed in the browsers of other users (Student, Teacher, Admin) when they open the annotated PDF.
Safety note: Public PoC examples and evidence provided with this advisory use non-exfiltrative payloads only (e.g.,
alert()or visible DOM markers). No credentials or sensitive data were exfiltrated to external hosts in published evidence.
Affected Component
/mod/pdfannotator/view.php/mod/pdfannotator/ajax.php
The vulnerable input is submitted via the Add Public Comment action; comments are loaded via AJAX and inserted into the PDF.js comment panel without adequate output encoding.
Attack Scenario (high level)
- Attacker (Student): Adds a Public Comment containing unescaped HTML/JS to an annotated PDF activity.
- Trigger: Another user opens the same annotated PDF activity. The stored comment is inserted into the DOM of the PDF viewer and the browser executes it.
- Result / Impact: Stored XSS execution in victim’s browser — possible impacts include session theft, forced actions in the victim session, UI/UX manipulation, or further chained attacks depending on context.
Technical Analysis
| Parameter | Value |
|---|---|
| Endpoint | /mod/pdfannotator/ajax.php?action=save_comment |
| Method | POST |
| Parameter | content |
| Affected role | Student (authenticated user) |
| Sanitization | Missing output escaping / direct insertion into DOM |
| Output context | Inserted into PDF.js comment panel (innerHTML-like behavior) |
PoC payloads (safe):
"><img src=x onerror=alert(document.cookie)>
CVSS Scoring (base metrics and rationale)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L Base Score (approx): 8.9 (High) Rationale:
- AV:N (Network) — reachable over web.
- AC:L (Low) — no special conditions required.
- PR:L (Low) — attacker needs a low-privilege account.
- UI:R (Required) — another user must view the annotated PDF.
- S:C (Scope: Changed) — execution observed in higher-privilege contexts (Teacher/Admin), enabling potential chaining to admin-scoped actions.
- C:H / I:H / A:L — confidentiality and integrity impacts are high if chained; availability low.