CVE-2016-7038 – moodle/moodle

Package

Manager: composer
Name: moodle/moodle
Vulnerable Version: >=2.7 <2.7.16 || >=2.9 <2.9.8 || >=3.0 <3.0.6 || >=3.1 <3.1.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00195 pctl0.41617

Details

Moodle Weak Password Recovery Mechanism for Forgotten Password In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.

Metadata

Created: 2022-05-13T01:12:40Z
Modified: 2024-04-23T23:41:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2phx-w35g-x9vm/GHSA-2phx-w35g-x9vm.json
CWE IDs: ["CWE-640"]
Alternative ID: GHSA-2phx-w35g-x9vm
Finding: F087
Auto approve: 1