CVE-2019-3847
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
Published
2019-03-27T13:29:01.757
Last Modified
2024-11-21T04:42:41.770
Status
Modified
Source
[email protected]
Severity
CVSSv3.1: 4.8 (MEDIUM)
CVSSv2 Vector
AV:N/AC:M/Au:S/C:N/I:P/A:N
- Access Vector: NETWORK
- Access Complexity: MEDIUM
- Authentication: SINGLE
- Confidentiality Impact: NONE
- Integrity Impact: PARTIAL
- Availability Impact: NONE
Exploitability Score
6.8
Impact Score
2.9
Weaknesses
-
Type: Secondary
CWE-79
-
Type: Primary
CWE-79
Affected Vendors & Products
References
-
http://www.securityfocus.com/bid/107489
Broken Link, Third Party Advisory, VDB Entry
([email protected])
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
Issue Tracking, Patch, Third Party Advisory
([email protected])
-
https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
Patch, Vendor Advisory
([email protected])
-
http://www.securityfocus.com/bid/107489
Broken Link, Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
Issue Tracking, Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
Patch, Vendor Advisory
(af854a3a-2127-422b-91ae-364da2661108)