A vulnerability has been found in Moodle up to 3.1.1/3.4.8/3.5.5/3.6.3 (Learning Management Software) and classified as critical. This vulnerability affects some unknown processing of the component Upload Handler. The manipulation of the argument redirect with an unknown input leads to a redirect vulnerability. The CWE definition for the vulnerability is CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.

The weakness was disclosed 06/26/2019 as not defined bug report (Bugzilla). The advisory is shared for download at bugzilla.redhat.com. This vulnerability was named CVE-2019-10133 since 03/27/2019. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1204.001.

Upgrading to version 3.1.2, 3.4.9, 3.5.6, 3.6.4 or 3.7 eliminates this vulnerability.

The entries VDB-136914 and VDB-136913 are pretty similar. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Learning Management Software

Name

• Moodle

Version

• 3.1.0
• 3.1.1
• 3.4.0
• 3.4.1
• 3.4.2
• 3.4.3
• 3.4.4
• 3.4.5
• 3.4.6
• 3.4.7
• 3.4.8
• 3.5.0
• 3.5.1
• 3.5.2
• 3.5.3
• 3.5.4
• 3.5.5
• 3.6.0
• 3.6.1
• 3.6.2
• 3.6.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion