A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.

Affected Packages

Packagist moodle/moodle

Affected versions: 0 (fixed in 3.4.8)

Packagist moodle/moodle

Affected versions: 3.5 (fixed in 3.5.5)

Packagist moodle/moodle

Affected versions: 3.6 (fixed in 3.6.3)

Related CVEs

CVE-2019-3849

Key Information

GHSA ID

GHSA-5wg9-5w3f-hxmh

Published

May 13, 2022 1:14 AM

Last Modified

January 26, 2024 6:20 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

moodle/moodle

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.