CVE-2019-3809

Description

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Affected products

Unknown / moodle3.1.16 – 3.1.16

References

MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3809
MISChttps://moodle.org/mod/forum/discuss.php?d=381229#p1536766
MISChttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222