Description
admin/uploaduser_form.php in Moodle 2.0.x before 2.0.3 does not force password changes for autosubscribed users, which makes it easier for remote attackers to obtain access by leveraging knowledge of the initial password of a new user.
References (3)
Core 3
Core References
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/11/14/1
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=22a77963439e00441949440f0517135b3a5418da
Vendor Advisory x_refsource_confirm
http://moodle.org/mod/forum/discuss.php?d=175588
Scores
EPSS
0.0049
EPSS Percentile
65.6%
Details
CWE
CWE-264
Status
published
Products (4)
moodle/moodle
2.0.0
moodle/moodle
2.0.1
moodle/moodle
2.0.2
moodle/moodle
2.0.0 - 2.0.2Packagist
Published
Jul 16, 2012
Tracked Since
Feb 18, 2026