CVE-2019-3847 Information

Description

A vulnerability was found in moodle before versions 3.6.3 3.5.5 3.4.8 and 3.1.17. Users with the \login as other users\ capability (such as administrators/managers) can access other users’ Dashboards but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/107489 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847 https://moodle.org/mod/forum/discuss.php?d=384010p1547742

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.2