CVE-2011-4585

Published: 20 July 2012

login/change_password.php in Moodle 1.9.x before 1.9.15 does not use https for the change-password form even if the httpslogin option is enabled, which allows remote attackers to obtain credentials by sniffing the network.

Priority

Medium

Status

Package Release Status
moodle
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1.9.9.dfsg2-6)
Patches:
Upstream: http://moodle.org/mod/forum/discuss.php?d=191752