Description
login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74725
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=313686
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032358
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2015/05/18/1
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090
Scores
EPSS
0.0033
EPSS Percentile
55.8%
Details
CWE
CWE-264
Status
published
Products (36)
moodle/moodle
2.5.0
moodle/moodle
2.5.1
moodle/moodle
2.5.2
moodle/moodle
2.5.3
moodle/moodle
2.5.4
moodle/moodle
2.5.5
moodle/moodle
2.5.6
moodle/moodle
2.5.7
moodle/moodle
2.5.8
moodle/moodle
2.6.0
... and 26 more
Published
Jun 01, 2015
Tracked Since
Feb 18, 2026