Bug 1941743 (CVE-2019-14831)

Summary: CVE-2019-14831 moodle: forum subscribe link contained an open redirect if forced subscription mode was enabled
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, igor.raits
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Moodle where the forum subscribe link contained an open redirect if forced subscription mode was enabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:29:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1941748    
Bug Blocks:    

Description Guilherme de Almeida Suckevicz 2021-03-22 16:50:03 UTC 
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.

Reference:
https://moodle.org/mod/forum/discuss.php?d=391037

Upstream patch:
https://git.moodle.org/gw?p=moodle.git;a=commit;h=32e2e06a8737afb07ee83abb3eacd39f8b181216
Comment 1 Guilherme de Almeida Suckevicz 2021-03-22 16:52:03 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-all [bug 1941748]