CVE-2019-14830 - Vulnerability Details - OpenCVE

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

No data.

References

Link	Providers
https://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=d4985a77391123c5959db432c076328f8d5e3624
https://moodle.org/mod/forum/discuss.php?d=391036

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2021-03-19T20:15:25

Updated: 2024-08-05T00:26:39.141Z

Reserved: 2019-08-10T00:00:00

Link: CVE-2019-14830

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-19T21:15:12.040

Modified: 2024-11-21T04:27:27.193

Link: CVE-2019-14830

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D443C9B-4E6C-4DFC-BC79-249FE71A44CB", "versionEndIncluding": "3.5.7", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "850D661D-990A-4A27-864B-1F52DD5F94D8", "versionEndIncluding": "3.6.5", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2879DC1-468C-4692-9D43-23DAFB088145", "versionEndIncluding": "3.7.1", "versionStartIncluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is \"via the app\")."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Moodle versiones 3.7 hasta 3.7.1, versiones 3.6 hasta 3.6.5, versiones 3.5 hasta 3.5.7 y versiones anteriores no compatibles, donde el endpoint de lanzamiento m\u00f3vil conten\u00eda un redireccionamiento abierto en algunas circunstancias, lo que podr\u00eda resultar en un token de acceso m\u00f3vil de un usuario sea expuesto. (Nota: esto no afecta a sitios con un esquema de URL forzado configurado, servicio m\u00f3vil desactivado o donde el m\u00e9todo de inicio de sesi\u00f3n de la aplicaci\u00f3n m\u00f3vil es \"via the app\")"}], "id": "CVE-2019-14830", "lastModified": "2024-11-21T04:27:27.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-19T21:15:12.040", "references": [{"source": "secalert@redhat.com", "url": "https://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=d4985a77391123c5959db432c076328f8d5e3624"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=391036"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=d4985a77391123c5959db432c076328f8d5e3624"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=391036"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "secalert@redhat.com", "type": "Secondary"}]}