The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").
Severity/Risk: |
Serious |
Versions affected: |
3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
Versions fixed: |
3.7.2, 3.6.6 and 3.5.8 |
Reported by: |
Frederik Schou Schmidt |
Workaround: |
Configure the "Forced URL scheme" (forcedurlscheme) option in site administration to either the app's custom URL scheme, or "moodlemobile" for sites using the standard Moodle app. Alternative workaround options include disabling mobile service (enablemobilewebservice), or changing the mobile app login method (typeoflogin) to "via the app" if possible (instead of via SSO plugin) until the patch is applied. |
CVE identifier: |
CVE-2019-14830 |
Changes (master): |
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66501 |
Tracker issue: |
MDL-66501 Open redirect in the mobile launch endpoint could be used to expose mobile access tokens |