Bug 1668073 (CVE-2019-3810)

Summary: CVE-2019-3810 moodle: User full name is not escaped in the un-linked userpix page (MSA-19-0003)
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gwync, igor.raits
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 3.6.2, moodle 3.5.4, moodle 3.4.7, moodle 3.1.16 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1668074    
Bug Blocks:    

Description Laura Pardo 2019-01-21 20:39:45 UTC
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.


References:
https://moodle.org/mod/forum/discuss.php?d=381230#p1536767

Upstream Patch:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372

Comment 1 Laura Pardo 2019-01-21 20:39:56 UTC
Created moodle tracking bugs for this issue:

Affects: epel-all [bug 1668074]