CVE-2015-5266 — Moodle allows attackers to obtain manager privileges

Description

The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script.

How to fix CVE-2015-5266

To remediate CVE-2015-5266, upgrade the affected package to a fixed version below.

—upgrade to 2.7.10 or later

Is CVE-2015-5266 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.7.0, < 2.7.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-5266
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744
WEBgithub.com/moodle/moodle/commit/936facab28d8d8bd03f38da42cb80fafba1a06db