MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

by Michael Hawkins.  

The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").


Severity/Risk:Serious
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:Frederik Schou Schmidt
Workaround:Configure the "Forced URL scheme" (forcedurlscheme) option in site administration to either the app's custom URL scheme, or "moodlemobile" for sites using the standard Moodle app. Alternative workaround options include disabling mobile service (enablemobilewebservice), or changing the mobile app login method (typeoflogin) to "via the app" if possible (instead of via SSO plugin) until the patch is applied.
CVE identifier:CVE-2019-14830
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66501
Tracker issue:MDL-66501 Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

Read more https://moodle.org/mod/forum/discuss.php?d=391036&parent=1576214