XSS Vulnerability in Moodle by Moodle HQ
CVE-2019-3808

4.3MEDIUM

Key Information:

Vendor: [unknown]
Status: Moodle
Vendor: CVE Published:; 25 March 2019

What is CVE-2019-3808?

A security flaw in specific versions of Moodle allows unauthorized cross-site scripting due to the 'manage groups' capability lacking the 'XSS risk' flag. While this capability is intended for trusted users, it has been improperly assigned in certain contexts, making it potential for abuse by attackers. Affected versions include Moodle 3.6 through 3.6.1, 3.5 through 3.5.3, 3.4 through 3.4.6, and 3.1 through 3.1.15, alongside earlier unsupported versions, which could lead to exploit scenarios if not addressed.

Affected Version(s)

moodle 3.6.2

moodle 3.5.4

moodle 3.4.7

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3808

x_refsource_CONFIRM

https://moodle.org/mod/forum/discuss.php?d=381228#p1536765

x_refsource_CONFIRM

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2019
Vulnerability Reserved
Jan 3, 2019

[unknown]

What is CVE-2019-3808?

Affected Version(s)

References

CVSS V3.1

Timeline