GHSA-382v-gxj9-ffhc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-382v-gxj9-ffhc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-382v-gxj9-ffhc/GHSA-382v-gxj9-ffhc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-382v-gxj9-ffhc
- Aliases
-
- CVE-2015-5267
- Published
- 2022-05-13T01:12:47Z
- Modified
- 2024-02-16T08:24:40.882902Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Moodle uses predictable password-recovery tokens
- Details
-
lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mtrand function to implement the randomstring and complexrandomstring functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
- Database specific
{ "nvd_published_at": "2016-02-22T05:59:00Z", "cwe_ids": [ "CWE-200" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-26T18:11:42Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-5267
- https://github.com/moodle/moodle/commit/289bc7f9e3022918b4cfd2cc9851472f0cea2896
- https://github.com/moodle/moodle/commit/5337b2295237958c93b6c65fa595859aaa7bf257
- https://github.com/moodle/moodle/commit/6e8224365ffcdf328458ea7852dc62574e806119
- https://github.com/moodle/moodle/commit/e4ac3879c2d1f8fe66caa74ff1544248bccef61e
- https://github.com/moodle/moodle
- https://moodle.org/mod/forum/discuss.php?d=320291
- https://web.archive.org/web/20160323063809/http://www.securitytracker.com/id/1033619
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860
- http://www.openwall.com/lists/oss-security/2015/09/21/1
Affected packages
Packagist / moodle/moodle
Package
- Name
- moodle/moodle
- Purl
- pkg:composer/moodle/moodle
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.7.10
Affected versions
v2.*
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.4.0-rc1
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.4.11
v2.5.0-beta
v2.5.0-rc1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0-beta
v2.6.0-rc1
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.6.10
v2.6.11
v2.7.0-beta
v2.7.0-rc1
v2.7.0-rc2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
Packagist / moodle/moodle
Package
- Name
- moodle/moodle
- Purl
- pkg:composer/moodle/moodle
Packagist / moodle/moodle
Package
- Name
- moodle/moodle
- Purl
- pkg:composer/moodle/moodle