PT-2020-9619 · Moodle+1 · Moodle+1
Dhananjay Arunesh
·
Published
2019-11-16
·
Updated
2022-05-24
·
CVE-2019-14880
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Moodle versions 3.7 before 3.7.3
Moodle versions 3.6 before 3.6.7
Moodle versions 3.5 before 3.5.9 and earlier
Description
A vulnerability was found in Moodle. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
Recommendations
For Moodle versions 3.7 before 3.7.3, update to version 3.7.3 or later.
For Moodle versions 3.6 before 3.6.7, update to version 3.6.7 or later.
For Moodle versions 3.5 before 3.5.9 and earlier, update to version 3.5.9 or later.
As a temporary workaround, consider requiring additional verification during sign-up for OAuth 2 providers who do not verify users' email address changes.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Moodle