Security Issue

Affecting moodle/moodle package, versions <3.1.17 || >=3.4.0, <3.4.8 || >=3.5.0, <3.5.5 || >=3.6.0, <3.6.3

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

moodle/moodle is a learning platform.

Affected versions of this package are vulnerable to Security Issue. Users with the "login as other users" permission (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Remediation

Upgrade moodle/moodle to version 3.1.17, 3.4.8, 3.5.5, 3.6.3 or higher.

References

CVSS Score

3.3
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O
Credit
Daniel Thatcher
CVE
CVE-2019-3847
CWE
CWE-355
Snyk ID
SNYK-PHP-MOODLEMOODLE-174012
Disclosed
27 Mar, 2019
Published
27 Mar, 2019