CVE-2019-3809

Name of the Vulnerable Software and Affected Versions Moodle versions 3.1 to 3.1.15 Moodle versions prior to 3.1

Description A flaw in the mybackpack functionality allowed setting the URL of badges to any value, instead of restricting it to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind Server-Side Request Forgery (SSRF) via requests made by the page.

Recommendations For Moodle versions 3.1 to 3.1.15, consider restricting the mybackpack functionality to only allow the Mozilla Open Badges backpack URL until a fix is available. For Moodle versions prior to 3.1, consider updating to a supported version or restricting the mybackpack functionality to minimize the risk of exploitation.