Description
A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
Remediation
References
Related Vulnerabilities
WordPress Plugin RSS Post Importer Cross-Site Scripting (2.2.1)
TYPO3 Cleartext Transmission of Sensitive Information Vulnerability (CVE-2017-6370)
WordPress Plugin Wu-Rating Cross-Site Scripting (1.0 12319)
WordPress Plugin Gallery by BestWebSoft Cross-Site Scripting (4.2.1)
WordPress Plugin Broken Link Checker Multiple Cross-Site Scripting Vulnerabilities (1.9.1)