CVE-2019-3809
MEDIUMMoodle 3.1.0-3.1.15 - Server-Side Request Forgery via MyBackpack Badge URL
Title source: llmDescription
A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
References (3)
Core 3
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3809
Patch, Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=381229#p1536766
Patch, Vendor Advisory x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222
Scores
CVSS v3
6.5
EPSS
0.0026
EPSS Percentile
49.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Details
CWE
CWE-918
CWE-352
Status
published
Products (2)
moodle/moodle
3.1 - 3.1.16Packagist
moodle/moodle
3.1.0 - 3.1.15
Published
Mar 25, 2019
Tracked Since
Feb 18, 2026