Search for vulnerabilities
Vulnerability details: VCID-6899-161a-47fh
Vulnerability ID VCID-6899-161a-47fh
Aliases CVE-2019-3809
GHSA-jp4g-r8c9-3534
Summary Moodle Blind SSRF Risk in /badges/mybackpack.php A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-918 Server-Side Request Forgery (SSRF)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 10.0 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222
generic_textual CRITICAL http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222
epss 0.00279 https://api.first.org/data/v1/epss?cve=CVE-2019-3809
epss 0.00279 https://api.first.org/data/v1/epss?cve=CVE-2019-3809
cvssv3.1 10.0 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3809
generic_textual CRITICAL https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3809
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-jp4g-r8c9-3534
cvssv3.1 10.0 https://github.com/moodle/moodle
generic_textual CRITICAL https://github.com/moodle/moodle
cvssv3.1 10.0 https://moodle.org/mod/forum/discuss.php?d=381229#p1536766
generic_textual CRITICAL https://moodle.org/mod/forum/discuss.php?d=381229#p1536766
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2019-3809
cvssv3 10.0 https://nvd.nist.gov/vuln/detail/CVE-2019-3809
cvssv3.1 10.0 https://nvd.nist.gov/vuln/detail/CVE-2019-3809
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2019-3809
Reference id Reference type URL
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222
https://api.first.org/data/v1/epss?cve=CVE-2019-3809
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3809
https://github.com/moodle/moodle
https://moodle.org/mod/forum/discuss.php?d=381229#p1536766
https://nvd.nist.gov/vuln/detail/CVE-2019-3809
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
GHSA-jp4g-r8c9-3534 https://github.com/advisories/GHSA-jp4g-r8c9-3534
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3809
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/moodle/moodle
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://moodle.org/mod/forum/discuss.php?d=381229#p1536766
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-3809
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-3809
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-3809
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.50926
EPSS Score 0.00279
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:29:59.302390+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jp4g-r8c9-3534/GHSA-jp4g-r8c9-3534.json 36.1.3