CVE-2019-3848
MEDIUMmoodle < 3.4.8 - Incorrect Authorization in Calendar Event Modal
Title source: llmDescription
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3848
Patch, Vendor Advisory
https://moodle.org/mod/forum/discuss.php?d=384011#p1547743
Scores
CVSS v3
4.3
EPSS
0.0013
EPSS Percentile
32.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-863
Status
published
Products (2)
moodle/moodle
< 3.4.8
moodle/moodle
3.4 - 3.4.8Packagist
Published
Mar 26, 2019
Tracked Since
Feb 18, 2026