Frederik Schou Schmidt

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.7 through 3.7.1 Moodle versions 3.6 through 3.6.5 Moodle versions 3.5 through 3.5.7 Moodle versions prior to 3.5 **Description** A vulnerability was found in the mobile launch endpoint, which contained an open redirect in some circumstances. This could result in a user's mobile access token being exposed. The issue does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app". **Recommendations** For Moodle versions 3.7 through 3.7.1, update to a version outside of this range to mitigate the risk. For Moodle versions 3.6 through 3.6.5, update to a version outside of this range to mitigate the risk. For Moodle versions 3.5 through 3.5.7, update to a version outside of this range to mitigate the risk. For Moodle versions prior to 3.5, update to a version 3.5 or later to mitigate the risk. As a temporary workaround, consider disabling the mobile launch endpoint until a patch is available. Restrict access to the mobile service to minimize the risk of exploitation.