CVE-2019-3847: XSS
First published: Wed Mar 27 2019(Updated: )
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | <3.1.17 | 3.1.17 |
| composer/moodle/moodle | >=3.2.0<3.4.8 | 3.4.8 |
| composer/moodle/moodle | >=3.5.0<3.5.5 | 3.5.5 |
| composer/moodle/moodle | >=3.6.0<3.6.3 | 3.6.3 |
| Moodle | <3.1.17 | |
| Moodle | >=3.4.0<3.4.8 | |
| Moodle | >=3.5.0<3.5.5 | |
| Moodle | >=3.6.0<3.6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-3847
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
- https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
- http://www.securityfocus.com/bid/107489
- https://github.com/advisories/GHSA-qrcj-6fjw-3h9h (Advisory)
- https://github.com/moodle/moodle/commit/070f24d006eab6b958eb083530de159b43c538ed
- https://github.com/moodle/moodle/commit/93dda3bfd3caaaa8d23fe8ede543f27ef774958d
- https://github.com/moodle/moodle/commit/a37e26d2efe1ca0e4d8d69c611a748af35b33674
- https://github.com/moodle/moodle/commit/e836242e1c04cd62d0afa4a790074fd245628e7a
- https://github.com/moodle/moodle/commit/ec3b63c772d6448765c68268234cf36c1a91bcac
- https://web.archive.org/web/20200227082922/http://www.securityfocus.com/bid/107489
Frequently Asked Questions
What is the severity of CVE-2019-3847?
CVE-2019-3847 has a medium severity rating due to its potential impact on user data privacy and security.
How do I fix CVE-2019-3847?
To remediate CVE-2019-3847, upgrade Moodle to version 3.6.3, 3.5.5, 3.4.8, or 3.1.17 or later.
Who is affected by CVE-2019-3847?
Users with the 'login as other users' capability, such as administrators and managers, are affected by CVE-2019-3847.
What type of vulnerability is CVE-2019-3847?
CVE-2019-3847 is identified as a cross-site scripting (XSS) vulnerability affecting Moodle.
Can CVE-2019-3847 be exploited remotely?
Yes, CVE-2019-3847 can potentially be exploited remotely if an attacker gains access to an account with elevated permissions.
- agent/type
- agent/remedy
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qrcj-6fjw-3h9h
- alias/CVE-2019-3847
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/first-publish-date
- agent/author
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/3.4.0
- version/moodle/3.5.0
- version/moodle/3.6.0