Vulnerability Description
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | >= 3.5.0, <= 3.5.7 |
Related Weaknesses (CWE)
References
- https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62284PatchVendor Advisory
- https://moodle.org/mod/forum/discuss.php?d=391030PatchVendor Advisory
- https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62284PatchVendor Advisory
- https://moodle.org/mod/forum/discuss.php?d=391030PatchVendor Advisory
FAQ
What is CVE-2019-14827?
CVE-2019-14827 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contex...
How severe is CVE-2019-14827?
CVE-2019-14827 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14827?
Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.