CVE-2019-3808
Description
The 'manage groups' capability in Moodle lacked the XSS risk flag, enabling stored cross-site scripting for teachers and managers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The 'manage groups' capability in Moodle lacked the XSS risk flag, enabling stored cross-site scripting for teachers and managers.
Vulnerability
A flaw was found in Moodle where the moodle/course:managegroups capability did not have the XSS risk flag assigned, despite the capability allowing access to areas where XSS can be introduced. This affects Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15, and earlier unsupported versions [1][2].
Exploitation
An attacker with the manage groups capability (typically teachers and managers) can inject malicious scripts when creating or modifying groups. No additional authentication is required beyond having the trusted role. The script is stored and executed when any user views the affected page.
Impact
Successful exploitation leads to stored cross-site scripting (XSS), which can result in information disclosure, session hijacking, or further compromise of the Moodle instance. The attacker gains the ability to execute arbitrary JavaScript in the context of the victim's session, potentially escalating privileges or accessing sensitive data.
Mitigation
The fix was committed in Moodle commit 6360f87 which adds 'riskbitmask' => RISK_XSS to the capability definition [4]. Moodle issued security releases: for 3.6.x upgrade to 3.6.2, for 3.5.x to 3.5.4, for 3.4.x to 3.4.7, for 3.1.x to 3.1.16. Users on unsupported versions should upgrade to a supported release. No workarounds are documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.6.0, < 3.6.2 | 3.6.2 |
moodle/moodlePackagist | >= 3.5.0, < 3.5.4 | 3.5.4 |
moodle/moodlePackagist | >= 3.2.0, < 3.4.7 | 3.4.7 |
moodle/moodlePackagist | < 3.1.16 | 3.1.16 |
Affected products
2Patches
16360f87cdca7MDL-64395 groups: Added XSS Risk to the manage groups capability
2 files changed · +2 −1
lib/db/access.php+1 −0 modified@@ -1123,6 +1123,7 @@ ), 'moodle/course:managegroups' => array( + 'riskbitmask' => RISK_XSS, 'captype' => 'write', 'contextlevel' => CONTEXT_COURSE,
version.php+1 −1 modified@@ -29,7 +29,7 @@ defined('MOODLE_INTERNAL') || die(); -$version = 2018122000.01; // YYYYMMDD = weekly release date of this DEV branch. +$version = 2018122000.02; // YYYYMMDD = weekly release date of this DEV branch. // RR = release increments - 00 in DEV branches. // .XX = incremental changes.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4r2p-wpv5-683wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-3808ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/moodle/moodle/commit/6360f87cdca744a6a71c315853f6d811a3e54e26ghsaWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.