Search for vulnerabilities
Vulnerability details: VCID-yxzy-2tsx-y3ff
Vulnerability ID VCID-yxzy-2tsx-y3ff
Aliases CVE-2019-3847
GHSA-qrcj-6fjw-3h9h
Summary Moodle XSS Vulnerability A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01255 https://api.first.org/data/v1/epss?cve=CVE-2019-3847
epss 0.01255 https://api.first.org/data/v1/epss?cve=CVE-2019-3847
cvssv3.1 4.8 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-qrcj-6fjw-3h9h
cvssv3.1 4.8 https://github.com/moodle/moodle
generic_textual MODERATE https://github.com/moodle/moodle
cvssv3.1 4.8 https://github.com/moodle/moodle/commit/070f24d006eab6b958eb083530de159b43c538ed
generic_textual MODERATE https://github.com/moodle/moodle/commit/070f24d006eab6b958eb083530de159b43c538ed
cvssv3.1 4.8 https://github.com/moodle/moodle/commit/93dda3bfd3caaaa8d23fe8ede543f27ef774958d
generic_textual MODERATE https://github.com/moodle/moodle/commit/93dda3bfd3caaaa8d23fe8ede543f27ef774958d
cvssv3.1 4.8 https://github.com/moodle/moodle/commit/a37e26d2efe1ca0e4d8d69c611a748af35b33674
generic_textual MODERATE https://github.com/moodle/moodle/commit/a37e26d2efe1ca0e4d8d69c611a748af35b33674
cvssv3.1 4.8 https://github.com/moodle/moodle/commit/e836242e1c04cd62d0afa4a790074fd245628e7a
generic_textual MODERATE https://github.com/moodle/moodle/commit/e836242e1c04cd62d0afa4a790074fd245628e7a
cvssv3.1 4.8 https://github.com/moodle/moodle/commit/ec3b63c772d6448765c68268234cf36c1a91bcac
generic_textual MODERATE https://github.com/moodle/moodle/commit/ec3b63c772d6448765c68268234cf36c1a91bcac
cvssv3.1 4.8 https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
generic_textual MODERATE https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
cvssv2 3.5 https://nvd.nist.gov/vuln/detail/CVE-2019-3847
cvssv3.1 4.8 https://nvd.nist.gov/vuln/detail/CVE-2019-3847
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2019-3847
cvssv3.1 4.8 https://web.archive.org/web/20200227082922/http://www.securityfocus.com/bid/107489
generic_textual MODERATE https://web.archive.org/web/20200227082922/http://www.securityfocus.com/bid/107489
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2019-3847
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
https://github.com/moodle/moodle
https://github.com/moodle/moodle/commit/070f24d006eab6b958eb083530de159b43c538ed
https://github.com/moodle/moodle/commit/93dda3bfd3caaaa8d23fe8ede543f27ef774958d
https://github.com/moodle/moodle/commit/a37e26d2efe1ca0e4d8d69c611a748af35b33674
https://github.com/moodle/moodle/commit/e836242e1c04cd62d0afa4a790074fd245628e7a
https://github.com/moodle/moodle/commit/ec3b63c772d6448765c68268234cf36c1a91bcac
https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
https://nvd.nist.gov/vuln/detail/CVE-2019-3847
https://web.archive.org/web/20200227082922/http://www.securityfocus.com/bid/107489
http://www.securityfocus.com/bid/107489
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
GHSA-qrcj-6fjw-3h9h https://github.com/advisories/GHSA-qrcj-6fjw-3h9h
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/moodle/moodle
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/moodle/moodle/commit/070f24d006eab6b958eb083530de159b43c538ed
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/moodle/moodle/commit/93dda3bfd3caaaa8d23fe8ede543f27ef774958d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/moodle/moodle/commit/a37e26d2efe1ca0e4d8d69c611a748af35b33674
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/moodle/moodle/commit/e836242e1c04cd62d0afa4a790074fd245628e7a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/moodle/moodle/commit/ec3b63c772d6448765c68268234cf36c1a91bcac
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://moodle.org/mod/forum/discuss.php?d=384010#p1547742
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-3847
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-3847
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://web.archive.org/web/20200227082922/http://www.securityfocus.com/bid/107489
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.78415
EPSS Score 0.01255
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:30:31.156162+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qrcj-6fjw-3h9h/GHSA-qrcj-6fjw-3h9h.json 36.1.3