PT-2016-1295 · Moodle · Moodle

Us3R777

Published

2015-09-23

Updated

2022-05-13

CVE-2015-5267

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Moodle versions 2.6.11 and earlier, 2.7.x before 2.7.10, 2.8.x before 2.8.8, 2.9.x before 2.9.2

Description The issue is related to the implementation of the random string and complex random string functions in the Moodle learning management system, which relies on the PHP mt rand function. This weakness can be exploited by a remote attacker to predict password-recovery tokens using a brute-force approach, potentially allowing them to obtain a user's password.

Recommendations For Moodle versions 2.6.11 and earlier, update to version 2.7.10 or later. For Moodle versions 2.7.x before 2.7.10, update to version 2.7.10 or later. For Moodle versions 2.8.x before 2.8.8, update to version 2.8.8 or later. For Moodle versions 2.9.x before 2.9.2, update to version 2.9.2 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-254CWE-264CWE-200

Related Identifiers

BDU:2016-00592

CVE-2015-5267

GHSA-382V-GXJ9-FFHC

MGASA-2015-0381

Affected Products

Moodle

PT-2016-1295 · Moodle · Moodle

CVE-2015-5267

Weakness Enumeration

Related Identifiers

Affected Products

References · 30