CVE Vulnerability

CVE-2019-3809

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

7.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

10 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://moodle.org/mod/forum/discuss.php?d=381229#p1536766 Patch Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3809 Issue Tracking Patch
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222 Patch Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Information

Published : 2019-03-25 06:29

Updated : 2019-10-09 11:49

NVD link : CVE-2019-3809

Mitre link : CVE-2019-3809

Products Affected
No products.
CWE
CWE-918

Server-Side Request Forgery (SSRF)