CVE-2019-3808
MEDIUMMoodle 3.1.0-3.1.14, 3.4.0-3.4.5, 3.5.0-3.5.2, 3.6.0-3.6.1 - Cross-Site Scripting via Manage Groups Capability
Title source: llmDescription
A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.
References (3)
Core 3
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3808
Patch, Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=381228#p1536765
Patch, Vendor Advisory x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64395
Scores
CVSS v3
5.4
EPSS
0.0017
EPSS Percentile
38.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (4)
moodle/moodle
3.6.0
moodle/moodle
3.6.1
moodle/moodle
3.1.0 - 3.1.15
moodle/moodle
3.6.0 - 3.6.2Packagist
Published
Mar 25, 2019
Tracked Since
Feb 18, 2026