CVE-2015-5335: Infoleak
First published: Mon Feb 22 2016(Updated: )
Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics to an arbitrary hub URL.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=2.9.0<2.9.3 | 2.9.3 |
| composer/moodle/moodle | >=2.8.0<2.8.9 | 2.8.9 |
| composer/moodle/moodle | <2.7.11 | 2.7.11 |
| Moodle | <=2.6.11 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 | |
| Moodle | =2.7.3 | |
| Moodle | =2.7.4 | |
| Moodle | =2.7.5 | |
| Moodle | =2.7.6 | |
| Moodle | =2.7.7 | |
| Moodle | =2.7.8 | |
| Moodle | =2.7.9 | |
| Moodle | =2.7.10 | |
| Moodle | =2.8.0 | |
| Moodle | =2.8.1 | |
| Moodle | =2.8.2 | |
| Moodle | =2.8.3 | |
| Moodle | =2.8.4 | |
| Moodle | =2.8.5 | |
| Moodle | =2.8.6 | |
| Moodle | =2.8.7 | |
| Moodle | =2.8.8 | |
| Moodle | =2.9.0 | |
| Moodle | =2.9.1 | |
| Moodle | =2.9.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091
- https://moodle.org/mod/forum/discuss.php?d=323230
- https://nvd.nist.gov/vuln/detail/CVE-2015-5335
- https://github.com/moodle/moodle/commit/4bb9e1ad8af12b01499c68543e80f7c12fd557ea
- https://github.com/moodle/moodle/commit/77e072ebec68ba685551b886b71054d1feae6c94
- https://github.com/moodle/moodle/commit/7bf5c6a542efa113dbb241a113cb6079f0572443
- https://github.com/moodle/moodle/commit/a1168a7427f8fa1926a771fe8e6d10aeb6689686
- https://github.com/advisories/GHSA-hpmv-wvq3-gj27 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-5335?
CVE-2015-5335 is classified as a medium severity vulnerability due to its ability to allow CSRF attacks against administrators.
How do I fix CVE-2015-5335?
To fix CVE-2015-5335, upgrade Moodle to version 2.7.11, 2.8.9, or 2.9.3 or later.
What types of attacks are possible with CVE-2015-5335?
CVE-2015-5335 allows attackers to hijack administrator authentication for sending statistics to arbitrary hubs.
Which versions of Moodle are affected by CVE-2015-5335?
CVE-2015-5335 affects Moodle versions 2.6.11 and earlier, as well as 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3.
Is CVE-2015-5335 a cross-site scripting vulnerability?
No, CVE-2015-5335 is a cross-site request forgery (CSRF) vulnerability, not a cross-site scripting (XSS) vulnerability.
- agent/weakness
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hpmv-wvq3-gj27
- alias/CVE-2015-5335
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.6.11
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2
- version/moodle/2.7.3
- version/moodle/2.7.4
- version/moodle/2.7.5
- version/moodle/2.7.6
- version/moodle/2.7.7
- version/moodle/2.7.8
- version/moodle/2.7.9
- version/moodle/2.7.10
- version/moodle/2.8.0
- version/moodle/2.8.1
- version/moodle/2.8.2
- version/moodle/2.8.3
- version/moodle/2.8.4
- version/moodle/2.8.5
- version/moodle/2.8.6
- version/moodle/2.8.7
- version/moodle/2.8.8
- version/moodle/2.9.0
- version/moodle/2.9.1
- version/moodle/2.9.2