4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2015-5265

GHSA ID

GHSA-44xp-wj24-9xxj

EPSS Score

0.53215%

CWE

Published

5/13/2022

Updated

1/26/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-5265

CVE-2015-5265: Moodle allows attackers to delete files

The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 does not consider the mod/wiki:managefiles capability before authorizing file management, which allows remote authenticated users to delete arbitrary files by using a manage-files button in a text editor.

(GitHub Advisory)

4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2015-5265

GHSA ID

GHSA-44xp-wj24-9xxj

EPSS Score

0.53215%

CWE

Published

5/13/2022

Updated

1/26/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moodle/moodle	composer	>= 2.7.0, < 2.7.10	2.7.10
moodle/moodle	composer	>= 2.8.0, < 2.8.8	2.8.8
moodle/moodle	composer	>= 2.9.0, < 2.9.2	2.9.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing capability checks when configuring the text editor's file management options. The commit diff shows the fix added a capability check in mod/wiki/pagelib.php's constructor to conditionally enable the 'enable_filemanagement' option. In vulnerable versions, this check was absent, causing the editor to display the 'managefiles' button regardless of user permissions. The root cause is the insecure initialization of editor options in the page_wiki_edit class constructor.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** wiki *ompon*nt in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *o*s not *onsi**r t** mo*/wiki:m*n****il*s **p**ility ***or* *ut*orizin* *il* m*n***m*nt, w*i** *llows r*mot* *ut**nti**t** us*rs to **l*t* *

Reasoning

T** vuln*r**ility st*mm** *rom missin* **p**ility ****ks w**n *on*i*urin* t** t*xt **itor's *il* m*n***m*nt options. T** *ommit *i** s*ows t** *ix ***** * **p**ility ****k in mo*/wiki/p***li*.p*p's *onstru*tor to *on*ition*lly *n**l* t** '*n**l*_*il*

4.3

Basic Information

Concerned about an active attack path?

CVE-2015-5265: Moodle allows attackers to delete files

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI