CVE-2019-3808 – moodle/moodle

Package

Manager: composer
Name: moodle/moodle
Vulnerable Version: >=3.6.0 <3.6.2 || >=3.5.0 <3.5.4 || >=3.2.0 <3.4.7 || >=0 <3.1.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0028 pctl0.51012

Details

Moodle XSS Vulnerability A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.

Metadata

Created: 2022-05-13T01:14:27Z
Modified: 2023-09-28T20:17:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4r2p-wpv5-683w/GHSA-4r2p-wpv5-683w.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-4r2p-wpv5-683w
Finding: F425
Auto approve: 1