CVE-2011-4287: Moodle does not force password changes for autosubscribed users

May 13, 2022 (updated April 12, 2025)

admin/uploaduser_form.php in Moodle 2.0.x before 2.0.3 does not force password changes for autosubscribed users, which makes it easier for remote attackers to obtain access by leveraging knowledge of the initial password of a new user.

References

github.com/advisories/GHSA-j3x5-cwfj-pfcw
nvd.nist.gov/vuln/detail/CVE-2011-4287

Code Behaviors & Features

Detect and mitigate CVE-2011-4287 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →