CVE-2019-3810 Information

Description

A flaw was found in moodle versions 3.6 to 3.6.1 3.5 to 3.5.3 3.4 to 3.4.6 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users’ full names which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3810 https://moodle.org/mod/forum/discuss.php?d=381230p1536767

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3