CVE-2015-2272

Name of the Vulnerable Software and Affected Versions Moodle versions 2.5.9 and earlier, 2.6.x before 2.6.9, 2.7.x before 2.7.6, 2.8.x before 2.8.4

Description The issue is related to insufficient access control in the login/token.php component of the Moodle learning management system. This allows remote authenticated users to bypass a forced-password-change requirement by creating a web-services token. The vulnerability can be exploited by a remote attacker to ignore the mandatory password change.

Recommendations For versions 2.5.9 and earlier, update to a version later than 2.5.9. For versions 2.6.x before 2.6.9, update to version 2.6.9 or later. For versions 2.7.x before 2.7.6, update to version 2.7.6 or later. For versions 2.8.x before 2.8.4, update to version 2.8.4 or later. As a temporary workaround, consider restricting access to the login/token.php component to minimize the risk of exploitation.