Bug 1692927 (CVE-2019-3851)

Summary: CVE-2019-3851 moodle: Secure layout contained an insecure link in Boost theme
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gwync, igor.raits, sergio, thosewerethedayswheniwas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 3.6.3, moodle 3.5.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:52:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1692930, 1692931    
Bug Blocks:    

Description Laura Pardo 2019-03-26 17:05:49 UTC 
A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.


Upstream Bug:
https://tracker.moodle.org/browse/MDL-64706

Upstream Patch:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64706
Comment 1 Laura Pardo 2019-03-26 17:05:52 UTC 
Acknowledgments:

Name: Martin von Löwis, Luca Bösch
Comment 2 Laura Pardo 2019-03-26 17:05:55 UTC 
External References:

https://moodle.org/mod/forum/discuss.php?d=384014#p1547746
Comment 3 Laura Pardo 2019-03-26 17:06:15 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-all [bug 1692931]
Affects: fedora-all [bug 1692930]
Comment 4 Product Security DevOps Team 2019-06-10 10:52:09 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 5 Garry Sandu 2023-07-24 02:42:14 UTC 
Ensuring a secure browsing experience for all users is of utmost importance, and it's concerning to find that the Boost theme's layout contained an insecure link. Insecure links can potentially expose users to security risks, data breaches, and other vulnerabilities. Just like students really feel insecure while using any writing platforms but when it comes on Edubirdie they always check  https://www.aresearchguide.com/edubirdie-review.html site to see what people think about it because there are many reviews of the previous users who actually experienced its writers.