GitHub Advisory DatabaseGHSA-454R-4CJV-VC9HMoodle allows attackers to obtain manager privileges
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
51.6%
The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script.
Affected configurations
References
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744
www.openwall.com/lists/oss-security/2015/09/21/1
github.com/advisories/GHSA-454r-4cjv-vc9h
github.com/moodle/moodle/commit/936facab28d8d8bd03f38da42cb80fafba1a06db
github.com/moodle/moodle/commit/ab006d43e48add8e5495141d4d750c1531772ca2
github.com/moodle/moodle/commit/dff6cdc88355f22ebaaf8f00c44a1ad51d272344
github.com/moodle/moodle/commit/f7fbc80766b72ed1c9915698edd443ee8f6eafbd
moodle.org/mod/forum/discuss.php?d=320290
nvd.nist.gov/vuln/detail/CVE-2015-5266
web.archive.org/web/20160323063809/www.securitytracker.com/id/1033619
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
51.6%