CVE-2025-3644 - Moodle Course Section Deletion Privilege Escalation Vulnerability

CVE ID : CVE-2025-3644

Published : April 25, 2025, 3:15 p.m. | 3 hours, 46 minutes ago

Description : A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

CVE-2025-6087 – Cloudflare Open Next SSRF

June 16, 2025

CVE ID : CVE-2025-6087

Published : June 16, 2025, 7:15 p.m. | 1 hour, 42 minutes ago

Description : A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.

This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next.

For example:

https://victim-site.com/_next/image?url=https://attacker.com

In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.

Impact:

* SSRF via unrestricted remote URL loading

* Arbitrary remote content loading

* Potential internal service exposure or phishing risks through domain abuse

Mitigation:

The following mitigations have been put in place:

* Server side updates to Cloudflare’s platform to restrict the content loaded via the /_next/image endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next

* Root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/727 to the Cloudflare adapter for Open Next. The patched version of the adapter is found here @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0

* Package dependency update https://github.com/cloudflare/workers-sdk/pull/9608 to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here: create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3

In addition to the automatic mitigation deployed on Cloudflare’s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the remotePatterns https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns filter in Next config https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns if they need to allow-list external urls with images assets.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

The Psychology Of Color In UX Design And Digital Products

This week in AI dev tools: Claude Sonnet 4’s larger context window, ChatGPT updates, and more (August 15, 2025)

Sentry launches MCP monitoring tool

10 Benefits of Hiring a React.js Development Company (2025–2026 Edition)

14 secret phone codes that unlock hidden features on your Android and iPhone

Stop using AI for these 9 work tasks – here’s why

A smart sensor assessed my home’s risk of electrical fires, and I was impressed

I brought Samsung’s rugged Galaxy tablet on a hiking trip, and it weathered everything

AI’s Hidden Thirst: The Water Behind Tech

AI’s Hidden Thirst: The Water Behind Tech

Minesweeper game in 100 lines of pure JavaScript – easy tutorial

Maintaining Data Consistency with Laravel Database Transactions

5 Best VPN for Lenovo Laptops to Enjoy the Web Safely

5 Best VPN for Lenovo Laptops to Enjoy the Web Safely

3 Best Antivirus and Malware Protection Software

11 Best Antivirus Without Ads

CVE-2025-3644 – Moodle Course Section Deletion Privilege Escalation Vulnerability

Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure

Exploit details for max severity Cisco IOS XE flaw now public

CVE-2025-4700 – GitLab CE/EE Cross-Site Scripting Vulnerability

Clive Barker’s Hellraiser: Revival coming to Xbox Series X|S and PC — One of the scariest horror films I’ve ever seen is getting a videogame adaptation that I never knew I wanted until now

AI-Generated Stock Graphics: The Future or Just a Fad?

CVE-2025-6087 – Cloudflare Open Next SSRF

Microsoft launches Intel-exclusive Surface Laptop 5G with reengineered design — but it’s SHOCKINGLY expensive

Why the ROG Xbox Ally skips OLED—and why that’s probably a good thing

CVE-2025-52289 – MagnusBilling Broken Access Control Vulnerability

CVE-2025-3644 – Moodle Course Section Deletion Privilege Escalation Vulnerability

Related Posts