Vulnerability Description
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | >= 3.1.0, <= 3.1.15 |
Related Weaknesses (CWE)
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372PatchVendor Advisory
- http://packetstormsecurity.com/files/162399/Moodle-3.6.1-Cross-Site-Scripting.htExploitThird Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3810Issue TrackingPatchThird Party Advisory
- https://moodle.org/mod/forum/discuss.php?d=381230#p1536767PatchVendor Advisory
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372PatchVendor Advisory
- http://packetstormsecurity.com/files/162399/Moodle-3.6.1-Cross-Site-Scripting.htExploitThird Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3810Issue TrackingPatchThird Party Advisory
- https://moodle.org/mod/forum/discuss.php?d=381230#p1536767PatchVendor Advisory
FAQ
What is CVE-2019-3810?
CVE-2019-3810 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as...
How severe is CVE-2019-3810?
CVE-2019-3810 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3810?
Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.