Description

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)

Remediation

References

CVE-2019-3848

Related Vulnerabilities

WordPress Plugin ImageMagick Engine Cross-Site Request Forgery (1.7.4)

WordPress Plugin spam-byebye Cross-Site Scripting (2.2.1)

WordPress Plugin Facebook for WordPress Cross-Site Request Forgery (3.0.3)

WordPress Plugin WordPress Video Player Cross-Site Scripting (1.5.1)

WordPress Plugin Stripe Payment for WooCommerce Cross-Site Scripting (3.5.9)

Severity

Medium

Classification

CVE-2019-3848 CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities