CVE-2019-3849

HIGH

moodle < 3.4.8 - Unauthenticated Privilege Escalation via LTI Request Tampering

Title source: llm
STIX 2.1

Description

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.

References (2)

Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3849
Patch, Vendor Advisory x_refsource_misc
https://moodle.org/mod/forum/discuss.php?d=384012#p1547744

Scores

CVSS v3 8.8
EPSS 0.0037
EPSS Percentile 59.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269 CWE-285
Status published
Products (2)
moodle/moodle < 3.4.8
moodle/moodle 0 - 3.4.8Packagist
Published Mar 26, 2019
Tracked Since Feb 18, 2026