GHSA-5wg9-5w3f-hxmh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5wg9-5w3f-hxmh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5wg9-5w3f-hxmh/GHSA-5wg9-5w3f-hxmh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5wg9-5w3f-hxmh
- Aliases
- Published
- 2022-05-13T01:14:32Z
- Modified
- 2024-02-16T08:25:00.548328Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Moodle Users could elevate their role when accessing the LTI tool on a provider site
- Details
-
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.
- Database specific
{ "nvd_published_at": "2019-03-26T18:29:00Z", "cwe_ids": [ "CWE-269" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-26T18:20:17Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-3849
- https://github.com/moodle/moodle/commit/427463a52574e4b3bcbe1c65c49066438770641e
- https://github.com/moodle/moodle/commit/430f685834cef190bdf58afabe79e765d596890d
- https://github.com/moodle/moodle/commit/723d1a747555b795ed53a0fad01da455797bb78f
- https://github.com/moodle/moodle/commit/898d5d05a0c3ae6795db0241bf3cb5951213d45c
- https://github.com/moodle/moodle/commit/b77dcd23d8e39265b5c096f0d947764c02d832c8
- https://github.com/moodle/moodle/commit/cd3060d941a051931eb2613b25bafb0108665895
- https://github.com/moodle/moodle/commit/fba7dcd90abd45210d782a79c6e25bb3840c7438
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3849
- https://github.com/moodle/moodle
- https://moodle.org/mod/forum/discuss.php?d=384012#p1547744
Affected packages
Packagist / moodle/moodle
Package
- Name
- moodle/moodle
- Purl
- pkg:composer/moodle/moodle
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.4.8
Affected versions
v2.*
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.4.0-rc1
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.4.11
v2.5.0-beta
v2.5.0-rc1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0-beta
v2.6.0-rc1
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.6.10
v2.6.11
v2.7.0-beta
v2.7.0-rc1
v2.7.0-rc2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.20
v2.8.0-beta
v2.8.0-rc1
v2.8.0-rc2
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v2.8.10
v2.8.11
v2.8.12
v2.9.0-beta
v2.9.0-rc1
v2.9.0-rc2
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9
v3.*
v3.0.0-beta
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.0.0-rc4
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.1.0-beta
v3.1.0-rc1
v3.1.0-rc2
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.2.0-beta
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.2.0-rc5
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0-beta
v3.3.0-rc1
v3.3.0-rc2
v3.3.0-rc3
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0-beta
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc3
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
Packagist / moodle/moodle
Package
- Name
- moodle/moodle
- Purl
- pkg:composer/moodle/moodle
Packagist / moodle/moodle
Package
- Name
- moodle/moodle
- Purl
- pkg:composer/moodle/moodle