Bug 1264852

Summary: CVE-2015-5267 moodle: Vulnerability in password recovery mechanism (MSA-15-0034)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, ignatenko
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 2.9.2, 2.8.8 and 2.7.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-21 11:40:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Mariš 2015-09-21 11:23:27 UTC 
A vulnerability in password recovery mechanism was found allowing to guess the password recovery token becasue of php randomization limitations. Affected versions are 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions.

Upstream patch:

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860
Comment 1 Adam Mariš 2015-09-21 11:40:04 UTC 

*** This bug has been marked as a duplicate of bug 1264861 ***