CVE-2019-3808:
Moodle XSS Vulnerability
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.60834%
CWE
Published
5/13/2022
Updated
9/28/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 3.6.0, <= 3.6.1 | 3.6.2 |
moodle/moodle | composer | >= 3.5.0, <= 3.5.3 | 3.5.4 |
moodle/moodle | composer | >= 3.2.0, <= 3.4.6 | 3.4.7 |
moodle/moodle | composer | <= 3.1.15 | 3.1.16 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from a missing 'XSS risk' flag in the capability definition for 'moodle/course:managegroups' in lib/db/access.php
, not from specific functions. The patch adds the RISK_XSS
flag to this capability's metadata, indicating the vulnerability was caused by improper security labeling rather than flawed function
implementations. While the capability is used in XSS-prone contexts, the advisory and commit diff don't identify specific functions that handle unsanitized input. The root issue is a missing risk declaration in the access control configuration, not vulnerable code in particular functions.