CVE-2019-3848 Information

Description

A vulnerability was found in moodle before versions 3.6.3 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar’s edit event modal popup so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access users could not edit the events.)

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3848 https://moodle.org/mod/forum/discuss.php?d=384011p1547743

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

4.3