CVE-2016-2159

Name of the Vulnerable Software and Affected Versions Moodle versions prior to 2.6.11 Moodle versions 2.7.x before 2.7.13 Moodle versions 2.8.x before 2.8.11 Moodle versions 2.9.x before 2.9.5 Moodle versions 3.0.x before 3.0.3

Description The issue is related to insufficient access control in the save submission function, allowing remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request. This can be exploited by a remote attacker to circumvent existing access restrictions.

Recommendations For versions prior to 2.6.11, update to version 2.6.11 or later. For versions 2.7.x before 2.7.13, update to version 2.7.13 or later. For versions 2.8.x before 2.8.11, update to version 2.8.11 or later. For versions 2.9.x before 2.9.5, update to version 2.9.5 or later. For versions 3.0.x before 3.0.3, update to version 3.0.3 or later. As a temporary workaround, consider restricting the use of the save submission function in the mod/assign/externallib.php file to prevent exploitation.