Vincent Herbulot

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.6.11 and earlier, 2.7.x before 2.7.10, 2.8.x before 2.8.8, 2.9.x before 2.9.2 **Description** The issue is related to the implementation of the `random string` and `complex random string` functions in the Moodle learning management system, which relies on the PHP `mt rand` function. This weakness can be exploited by a remote attacker to predict password-recovery tokens using a brute-force approach, potentially allowing them to obtain a user's password. **Recommendations** For Moodle versions 2.6.11 and earlier, update to version 2.7.10 or later. For Moodle versions 2.7.x before 2.7.10, update to version 2.7.10 or later. For Moodle versions 2.8.x before 2.8.8, update to version 2.8.8 or later. For Moodle versions 2.9.x before 2.9.2, update to version 2.9.2 or later.