Main Vulnerability Database Vulnerabilities #VU39808

#VU39808 Weak Password Recovery Mechanism for Forgotten Password in Moodle - CVE-2016-7038

Published: January 20, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39808

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-7038

CWE-ID: CWE-640

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Moodle

Software vendor:
moodle.org

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.

Install update from vendor's website.