The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.15 and earlier unsupported versions |
| Versions fixed: | 3.1.16 |
| Reported by: | Alejandro Parodi |
| Workaround: | Ensure your firewall rules effectively protect other internal hosts and ports from unauthorised access. |
| CVE identifier: | CVE-2019-3809 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222 |
| Tracker issue: | MDL-64222 Blind SSRF risk in /badges/mybackpack.php |