CVE-2019-3849
Moodle Users could elevate their role when accessing the LTI tool on a provider site
8.8
HIGH
CVSS 3.1
EPSS 0.37%
Description
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.
How to fix CVE-2019-3849
To remediate CVE-2019-3849, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.8 or later
Is CVE-2019-3849 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.4.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |