Miggo Logo
Miggo Vulnerability Database
CVE-2019-3851

CVE-2019-3851:
Moodle Secure layout contained an insecure link in Boost theme

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-3851
GHSA ID
GHSA-pj45-hp8h-289r
EPSS Score
0.45649%
CWE
-
Published
5/13/2022
Updated
1/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.5, < 3.5.53.5.5
moodle/moodlecomposer>= 3.6, < 3.6.33.6.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure template markup in the Boost theme's secure layout (navbar-secure.mustache), not from specific PHP functions. The commit diff shows removal of an <a> tag linking to config.wwwroot in the template file, which allowed navigation to the home page. While template rendering mechanisms are involved, no specific PHP functions were identified as vulnerable - the issue resides purely in the template structure allowing unintended navigation. The added test files (securelayout.feature, securetestpage.php) validate the fix but don't represent vulnerable code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in moo*l* ***or* v*rsions *.*.* *n* *.*.*. T**r* w*s * link to sit* *om* wit*in t** t** *oost t**m*'s s**ur* l*yout, m**nin* stu**nts *oul* n*vi**t* out o* t** p***.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* t*mpl*t* m*rkup in t** *oost t**m*'s s**ur* l*yout (`n*v**r-s**ur*.must****`), not *rom sp**i*i* `P*P` *un*tions. T** *ommit *i** s*ows r*mov*l o* *n <*> t** linkin* to `*on*i*.wwwroot` in t** t*mpl*t* *il*, w*i*