CVE-2019-3810 in Moodle
Summary
by MITRE
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/30/2025
This vulnerability exists in moodle learning management systems across multiple versions including 3.6.1, 3.5.3, 3.4.6, and 3.1.15, representing a cross-site scripting flaw that affects the userpix page functionality. The issue stems from insufficient output escaping of user-provided full names when they appear as hover text over profile images, creating a potential attack vector for malicious actors to execute arbitrary javascript code within the context of a victim's browser session. The vulnerability is classified under CWE-79 as a cross-site scripting weakness, specifically manifesting as reflected XSS in the user interface elements where user data is improperly sanitized. This flaw is particularly concerning because it demonstrates how seemingly innocuous user profile information can become a security risk when not properly escaped during rendering.
The operational impact of this vulnerability is significant within educational environments where moodle platforms host sensitive user data and are frequently accessed by students, teachers, and administrators. Attackers could exploit this vulnerability by registering with malicious payloads in their full names, then navigating to the userpix page or triggering the hover effect through other means. The restriction on default linking and access control does not fully mitigate the risk since the vulnerability can be exploited through social engineering or by users who have gained legitimate access to the platform. This vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter, specifically focusing on javascript execution within the browser context. The flaw represents a classic case of improper input validation where user-supplied data flows directly into html output without appropriate sanitization measures.
Mitigation strategies should include immediate patching of affected moodle versions to the latest stable releases that contain proper output escaping for user profile data. System administrators must ensure that all user-provided content undergoes strict sanitization before being rendered in html contexts, particularly for hover text attributes and other interactive elements. The implementation of content security policies can provide additional defense in depth by restricting script execution and preventing unauthorized code injection. Security monitoring should include detection of unusual user registration patterns or attempts to inject malicious payloads into profile fields. Organizations should also consider implementing web application firewalls that can detect and block known XSS attack patterns targeting moodle's userpix functionality. Regular security audits of user interface components and input validation mechanisms remain crucial for preventing similar vulnerabilities in the future, as this issue demonstrates how seemingly minor output escaping failures can create significant security risks in web applications.