SB2017012015 - Weak Password Recovery Mechanism for Forgotten Password in Moodle
Published: January 20, 2017 Updated: August 8, 2020
Security Bulletin ID
SB2017012015
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2016-7038)
CWE-ID: CWE-640 - Weak password recovery mechanism
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
Remediation
Install update from vendor's website.