CVE-2019-3808 Information

Description

A flaw was found in Moodle versions 3.6 to 3.6.1 3.5 to 3.5.3 3.4 to 3.4.6 3.1 to 3.1.15 and earlier unsupported versions. The ‘manage groups’ capability did not have the ‘XSS risk’ flag assigned to it but does have that access in certain places. Note that the capability is intended for use by trusted users and is only assigned to teachers and managers by default.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64395 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3808 https://moodle.org/mod/forum/discuss.php?d=381228p1536765

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4