From 68bef258fd14ce8f45daf8847316d0b5579f079f Mon Sep 17 00:00:00 2001 From: Laura Pardo Date: Tue, 26 Mar 2019 13:32:39 -0300 Subject: [PATCH 1/2] CVE-2019-3847 --- 2019/3xxx/CVE-2019-3847.json | 82 ++++++++++++++++++++++++++++++++---- 1 file changed, 74 insertions(+), 8 deletions(-) diff --git a/2019/3xxx/CVE-2019-3847.json b/2019/3xxx/CVE-2019-3847.json index 79306bc03ae..50921032332 100644 --- a/2019/3xxx/CVE-2019-3847.json +++ b/2019/3xxx/CVE-2019-3847.json @@ -1,18 +1,84 @@ { - "CVE_data_meta": { - "ASSIGNER": "cve@mitre.org", - "ID": "CVE-2019-3847", - "STATE": "RESERVED" - }, - "data_format": "MITRE", "data_type": "CVE", + "data_format": "MITRE", "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2019-3847", + "ASSIGNER": "lpardo@redhat.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "[UNKNOWN]", + "product": { + "product_data": [ + { + "product_name": "moodle", + "version": { + "version_data": [ + { + "version_value": "3.6.3" + }, + { + "version_value": "3.5.5" + }, + { + "version_value": "3.4.8" + }, + { + "version_value": "3.1.17" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-285" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3847", + "refsource": "CONFIRM" + }, + { + "url": "https://moodle.org/mod/forum/discuss.php?d=384010#p1547742" + } + ] + }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the \"login as other users\" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. +" } ] + }, + "impact": { + "cvss": [ + [ + { + "vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "version": "3.0" + } + ] + ] } -} \ No newline at end of file +} From f954906dcf229b13ff4fd5ab132223561698326a Mon Sep 17 00:00:00 2001 From: Laura Pardo Date: Tue, 26 Mar 2019 17:57:30 -0300 Subject: [PATCH 2/2] edit invalid line break --- 2019/3xxx/CVE-2019-3847.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/2019/3xxx/CVE-2019-3847.json b/2019/3xxx/CVE-2019-3847.json index 50921032332..fc3141d2b44 100644 --- a/2019/3xxx/CVE-2019-3847.json +++ b/2019/3xxx/CVE-2019-3847.json @@ -66,8 +66,7 @@ "description_data": [ { "lang": "eng", - "value": "A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the \"login as other users\" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. -" + "value": "A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the \"login as other users\" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf." } ] },