Vulnerability Description
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | < 3.1.17 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/107489Broken LinkThird Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847Issue TrackingPatchThird Party Advisory
- https://moodle.org/mod/forum/discuss.php?d=384010#p1547742PatchVendor Advisory
- http://www.securityfocus.com/bid/107489Broken LinkThird Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847Issue TrackingPatchThird Party Advisory
- https://moodle.org/mod/forum/discuss.php?d=384010#p1547742PatchVendor Advisory
FAQ
What is CVE-2019-3847?
CVE-2019-3847 is a vulnerability with a CVSS score of 4.8 (MEDIUM). A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboard...
How severe is CVE-2019-3847?
CVE-2019-3847 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3847?
Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.