CVE-2016-7038: Weak Password Recovery Mechanism for Forgotten Password

January 20, 2017 (updated January 25, 2017)

In Moodle, web service tokens are not invalidated when the user password is changed or forced to be changed.

References

www.securityfocus.com/bid/93174
moodle.org/mod/forum/discuss.php?d=339631
nvd.nist.gov/vuln/detail/CVE-2016-7038

Code Behaviors & Features

Detect and mitigate CVE-2016-7038 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →