Moodle User Capability Bypass Flaw in Pre-3.6.3 Versions
CVE-2019-3852

4.3MEDIUM

Key Information:

Vendor: [unknown]
Status: Moodle
Vendor: CVE Published:; 26 March 2019

What is CVE-2019-3852?

A vulnerability exists in Moodle versions prior to 3.6.3 that allows bypassing user capabilities due to the get_with_capability_join and get_users_by_capability functions failing to properly account for context freezing. This oversight may permit unauthorized users to access functionalities they should not be permitted to use, potentially leading to a compromise of the system's security integrity.

Affected Version(s)

moodle 3.6.3

References

https://moodle.org/mod/forum/discuss.php?d=384015#p1547748

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3852

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2019
Vulnerability Reserved
Jan 3, 2019

[unknown]

What is CVE-2019-3852?

Affected Version(s)

References

CVSS V3.1

Timeline