Miggo Logo

CVE-2019-3808:
Moodle XSS Vulnerability

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.60834%
Published
5/13/2022
Updated
9/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.6.0, <= 3.6.13.6.2
moodle/moodlecomposer>= 3.5.0, <= 3.5.33.5.4
moodle/moodlecomposer>= 3.2.0, <= 3.4.63.4.7
moodle/moodlecomposer<= 3.1.153.1.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a missing 'XSS risk' flag in the capability definition for 'moodle/course:managegroups' in lib/db/access.php, not from specific functions. The patch adds the RISK_XSS flag to this capability's metadata, indicating the vulnerability was caused by improper security labeling rather than flawed function implementations. While the capability is used in XSS-prone contexts, the advisory and commit diff don't identify specific functions that handle unsanitized input. The root issue is a missing risk declaration in the access control configuration, not vulnerable code in particular functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Moo*l* v*rsions *.* to *.*.*, *.* to *.*.*, *.* to *.*.*, *.* to *.*.** *n* **rli*r unsupport** v*rsions. T** 'm*n*** *roups' **p**ility *i* not **v* t** 'XSS risk' *l** *ssi*n** to it, *ut *o*s **v* t**t ****ss in **rt*in pl***s.

Reasoning

T** vuln*r**ility st*ms *rom * missin* 'XSS risk' *l** in t** **p**ility ***inition *or 'moo*l*/*ours*:m*n****roups' in `li*/**/****ss.p*p`, not *rom sp**i*i* *un*tions. T** p*t** ***s t** `RISK_XSS` *l** to t*is **p**ility's m*t***t*, in*i**tin* t**