CVE-2019-3847
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| [UNKNOWN] | Moodle | 3.6 to 3.6.2 | affected |
| [UNKNOWN] | Moodle | 3.5 to 3.5.4 | affected |
| [UNKNOWN] | Moodle | 3.4 to 3.4.7 | affected |
| [UNKNOWN] | Moodle | 3.1 to 3.1.16 and earlier unsupported versions | affected |
Weaknesses
- CWE-79: CWE-79
ADP Enrichment
CVE Program Container
Additional References
- http://www.securityfocus.com/bid/107489
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
- https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
References
- http://www.securityfocus.com/bid/107489
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
- https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.