CVE-2015-3181

Name of the Vulnerable Software and Affected Versions Moodle versions 2.5.9 and earlier, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6

Description The issue is related to insufficient access control in the files/externallib.php component of the Moodle learning management system. This allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after the moodle/user:manageownfiles capability has been revoked. The vulnerability can be exploited by an attacker to circumvent access restrictions to file management using web services designed for data upload.

Recommendations For Moodle versions 2.5.9 and earlier, update to a version later than 2.5.9 to resolve the issue. For Moodle versions 2.6.x before 2.6.11, update to version 2.6.11 or later. For Moodle versions 2.7.x before 2.7.8, update to version 2.7.8 or later. For Moodle versions 2.8.x before 2.8.6, update to version 2.8.6 or later. As a temporary workaround, consider restricting access to the files/externallib.php component until a patch is available.