Skip to main content

Moodle CVE-2019-3809

CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2019-03-25 secalert@redhat.com
10.0
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 25, 2019 - 18:29 nvd
CRITICAL 10.0

DescriptionNVD

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

AnalysisAI

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page. Affected products include: Moodle.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in Moodle

View all
CVE-2013-3630 MEDIUM POC
4.6 Nov 01

Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell

CVE-2021-21809 CRITICAL POC
9.1 Jun 23

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. Rated critical severi

CVE-2024-43425 HIGH POC
8.1 Nov 07

A flaw was found in Moodle. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authenticatio

CVE-2017-2641 CRITICAL POC
9.8 Mar 26

In Moodle 2.x and 3.x, SQL injection can occur via user preferences. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2025-34031 HIGH POC
7.5 Jun 24

The Moodle LMS Jmol plugin version 6.1 and earlier contains a path traversal vulnerability in jsmol.php. The query param

CVE-2013-4341 MEDIUM POC
4.3 Sep 16

Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, an

CVE-2016-9187 HIGH POC
8.8 Nov 04

Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remo

CVE-2016-9186 HIGH POC
8.8 Nov 04

Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows re

CVE-2018-14630 HIGH POC
8.8 Sep 17

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional re

CVE-2018-1133 HIGH POC
8.8 May 25

An issue was discovered in Moodle 3.x. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low a

CVE-2016-7919 HIGH POC
7.5 Oct 28

Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injectio

CVE-2021-47857 HIGH POC
7.2 Jan 21

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows

Share

CVE-2019-3809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy