CVE-2014-7845

The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.

Published Bysecalert@redhat.com

Published DateNov 24, 2014, 11:59

Affected Versions(3)

moodle/moodle(Packagist)

Introduced2.7.0

Fixed2.7.3

LimitN/A

moodle/moodle(Packagist)

Introduced2.6.0

Fixed2.6.6

LimitN/A

moodle/moodle(Packagist)

Introduced2.5.0

Fixed2.5.9

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
moodle/moodle(Packagist)	2.7.0	2.7.3	N/A
moodle/moodle(Packagist)	2.6.0	2.6.6	N/A
moodle/moodle(Packagist)	2.5.0	2.5.9	N/A

Weakness Type (CWE):CWE-255

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-255

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL