Security announcements

MSA-15-0016: Web services token can be created for user with temporary password

 
Picture of Marina Glancy
MSA-15-0016: Web services token can be created for user with temporary password
 
Description: Even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services.
Issue summary: login/token.php does not check if auth_forcepasswordchange is on for the user
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Juan Leyva
Issue no.: MDL-48691
CVE identifier: CVE-2015-2272
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691