Lucene search

Veracode Vulnerability DatabaseVERACODE:4730

HistoryJul 27, 2017 - 1:41 a.m.

Force-Password-Change Bypass

2017-07-2701:41:08

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

JSON

Moodle is vulnerable to the bypass of the force-password-change requirement. Even when a password is forced to be changed on login, its possible for the temporary password to be used to create web service tokens, thus extending the life of the temporary password.

CPENameOperatorVersion
moodle/moodlele2.5.9
moodle/moodlele2.8.3
moodle/moodlele2.7.5
moodle/moodlele2.6.8

Name	Operator	Version
moodle/moodle	le	2.5.9
moodle/moodle	le	2.8.3
moodle/moodle	le	2.7.5
moodle/moodle	le	2.6.8

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691

openwall.com/lists/oss-security/2015/03/16/1

www.securityfocus.com/bid/73166

moodle.org/mod/forum/discuss.php?d=307386

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

JSON

Related for VERACODE:4730