CVE-2019-14830

Name of the Vulnerable Software and Affected Versions Moodle versions 3.7 through 3.7.1 Moodle versions 3.6 through 3.6.5 Moodle versions 3.5 through 3.5.7 Moodle versions prior to 3.5

Description A vulnerability was found in the mobile launch endpoint, which contained an open redirect in some circumstances. This could result in a user's mobile access token being exposed. The issue does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app".

Recommendations For Moodle versions 3.7 through 3.7.1, update to a version outside of this range to mitigate the risk. For Moodle versions 3.6 through 3.6.5, update to a version outside of this range to mitigate the risk. For Moodle versions 3.5 through 3.5.7, update to a version outside of this range to mitigate the risk. For Moodle versions prior to 3.5, update to a version 3.5 or later to mitigate the risk. As a temporary workaround, consider disabling the mobile launch endpoint until a patch is available. Restrict access to the mobile service to minimize the risk of exploitation.