SB2017012015 - Weak Password Recovery Mechanism for Forgotten Password in Moodle
Published: January 20, 2017 Updated: August 8, 2020
Security Bulletin ID
SB2017012015
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2016-7038)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
Remediation
Install update from vendor's website.