CVE-2019-3808
Last modified
CVE-2019-3808 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. EPSS estimates a 1.12% chance of exploitation in the next 30 days.
Description
A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | >= 3.1.0, <= 3.1.15 |
| Moodle | Moodle | >= 3.4.0, <= 3.4.6 |
| Moodle | Moodle | >= 3.5.0, <= 3.5.3 |
| Moodle | Moodle | 3.6.0 |
| Moodle | Moodle | 3.6.1 |
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64395Patch, Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3808Issue Tracking, Patch, Third Party Advisory
- https://moodle.org/mod/forum/discuss.php?d=381228#p1536765Patch, Vendor Advisory
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64395Patch, Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3808Issue Tracking, Patch, Third Party Advisory
- https://moodle.org/mod/forum/discuss.php?d=381228#p1536765Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-3808?
How severe is CVE-2019-3808?
How do I fix CVE-2019-3808?
Are you affected by CVE-2019-3808?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST