CVE-2019-3847

MEDIUM

Moodle < 3.1.17 - XSS

Title source: rule

Description

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Exploits (1)

nomisec WORKING POC 7 stars

by danielthatcher · poc

https://github.com/danielthatcher/moodle-login-csrf

View Code ZIP pw:eip

References (3)

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107489

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847

[Patch, Vendor Advisory] https://moodle.org/mod/forum/discuss.php?d=384010#p1547742

Scores

CVSS v3 4.8

EPSS 0.0087

EPSS Percentile 75.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

moodle/moodle < 3.1.17

moodle/moodle 3.6.0 - 3.6.3Packagist

Published Mar 27, 2019

Tracked Since Feb 18, 2026