CVE-2015-5266
MEDIUMMoodle <2.6.11, <2.7.10, <2.8.8, <2.9.2 - Privilege Escalation
Title source: llmDescription
The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script.
References (4)
Core 4
Core References
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=320290
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/09/21/1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1033619
Scores
CVSS v3
6.8
EPSS
0.0025
EPSS Percentile
48.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-264
Status
published
Products (22)
moodle/moodle
2.7.0
moodle/moodle
2.7.1
moodle/moodle
2.7.2
moodle/moodle
2.7.3
moodle/moodle
2.7.4
moodle/moodle
2.7.5
moodle/moodle
2.7.6
moodle/moodle
2.7.7
moodle/moodle
2.7.8
moodle/moodle
2.7.9
... and 12 more
Published
Feb 22, 2016
Tracked Since
Feb 18, 2026