CVE-2016-2157: Moodle cross-site request forgery (CSRF) vulnerability
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.37233%
CWE
Published
5/13/2022
Updated
1/26/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | < 2.7.13 | 2.7.13 |
moodle/moodle | composer | >= 2.8.0, < 2.8.11 | 2.8.11 |
moodle/moodle | composer | >= 2.9.0, < 2.9.5 | 2.9.5 |
moodle/moodle | composer | >= 3.0.0, < 3.0.3 | 3.0.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the lack of a session token check in mod/assign/adminmanageplugins.php before processing user-supplied parameters ('plugin' and 'action'). The original code retrieved these parameters via optional_param() and passed them directly to assign_plugin_manager->execute(). The absence of require_sesskey() allowed attackers to forge requests that administrators might unintentionally execute. The patch explicitly adds require_sesskey() when the 'plugin' parameter is present, confirming the vulnerability resided in the unvalidated parameter handling leading to the execute() call.