CVE-2010-1613

Moodle 1.8.x and 1.9.x before 1.9.8 does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks.

Published Bycve@mitre.org

Published DateApr 29, 2010, 21:30

Affected Versions(1)

moodle/moodle(Packagist)

Introduced1.8.0

Fixed1.9.8

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
moodle/moodle(Packagist)	1.8.0	1.9.8	N/A

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://moodle.org/security/
http://www.vupen.com/english/advisories/2010/1107

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL