Vulnerability Description
The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | <= 2.6.11 |
Related Weaknesses (CWE)
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744
- http://www.openwall.com/lists/oss-security/2015/09/21/1
- http://www.securitytracker.com/id/1033619
- https://moodle.org/mod/forum/discuss.php?d=320290Vendor Advisory
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744
- http://www.openwall.com/lists/oss-security/2015/09/21/1
- http://www.securitytracker.com/id/1033619
- https://moodle.org/mod/forum/discuss.php?d=320290Vendor Advisory
FAQ
What is CVE-2015-5266?
CVE-2015-5266 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager pr...
How severe is CVE-2015-5266?
CVE-2015-5266 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-5266?
Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.