MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens
|
System information
|
| |
|
|
Affected software |
PHP |
Description
|
by Michael Hawkins. The mobile launch endpoint contained an open redirect in some circumstances, which could result in a users mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").Severity/Risk:SeriousVersions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versionsVersions fixed:3.7.2, 3.6.6 and 3.5.8Reported by:Frederik Schou
More info:
https://moodle.org/mod/forum/discuss.php?d=391036&parent=1576214 |
Standar resources
|
|
Property |
Value |
|
CVE |
CVE-2019-14830. |
