Description: | Even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services. |
Issue summary: | login/token.php does not check if auth_forcepasswordchange is on for the user |
Severity/Risk: | Serious |
Versions affected: | 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions |
Versions fixed: | 2.8.4, 2.7.6 and 2.6.9 |
Reported by: | Juan Leyva |
Issue no.: | MDL-48691 |
CVE identifier: | CVE-2015-2272 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691 |
MSA-15-0016: Web services token can be created for user with temporary password
by Marina Glancy -
Number of replies: 0