CVE-2019-3847

medium

Description

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

References

https://moodle.org/mod/forum/discuss.php?d=384010#p1547742

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847

http://www.securityfocus.com/bid/107489

Details

Source: Mitre, NVD

Published: 2019-03-27

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.01255