Description

login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass a forced-password-change requirement by creating a web-services token.

Remediation

References

CVE-2015-2272

Related Vulnerabilities

IBM WebSEAL Incorrect Default Permissions Vulnerability (CVE-2023-38370)

Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2023-32679)

MySQL Other Vulnerability (CVE-2002-1921)

Sqlite Improper Input Validation Vulnerability (CVE-2017-13685)

Drupal Core 6.x Session Hijacking (6.0 - 6.33)

Severity

Medium

Classification

CVE-2015-2272 CWE-264

Tags

Missing Update Known Vulnerabilities