Moderate severityNVD Advisory· Published Mar 24, 2014· Updated May 6, 2026

CVE-2014-0126

Description

Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise/importnow.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that import an IMS Enterprise file.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	< 2.4.9	2.4.9
moodle/moodlePackagist	>= 2.5.0, < 2.5.5	2.5.5
moodle/moodlePackagist	>= 2.6.0, < 2.6.2	2.6.2

Affected products

Moodle/Moodle61 versions
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 60 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.3.11
- cpe:2.3:a:moodle:moodle:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*

Patches

41a19bffeef0

MDL-43146 enrol_imsenterprise: missing sesskey protection

https://github.com/moodle/moodleDan PoltawskiJan 28, 2014via ghsa

commit

2 files changed · +4 −2

enrol/imsenterprise/importnow.php+1 −0 modified

@@ -24,6 +24,7 @@
 require_once(dirname(dirname(dirname(__FILE__))) . '/config.php');
 require_login(0, false);
 require_capability('moodle/site:config', context_system::instance());
+require_sesskey();
 
 $site = get_site();

enrol/imsenterprise/settings.php+3 −2 modified

@@ -119,7 +119,8 @@
     $settings->add(new admin_setting_configcheckbox('enrol_imsenterprise/imscapitafix',
         get_string('usecapitafix', 'enrol_imsenterprise'), get_string('usecapitafix_desc', 'enrol_imsenterprise'), 0));
 
-    $importnowstring = get_string('aftersaving...', 'enrol_imsenterprise').' <a href="../enrol/imsenterprise/importnow.php">';
-    $importnowstring .= get_string('doitnow', 'enrol_imsenterprise').'</a>';
+    $importurl = new moodle_url('/enrol/imsenterprise/importnow.php', array('sesskey' => sesskey()));
+    $importnowstring = get_string('aftersaving...', 'enrol_imsenterprise').' ';
+    $importnowstring .= html_writer::link($importurl, get_string('doitnow', 'enrol_imsenterprise'));
     $settings->add(new admin_setting_heading('enrol_imsenterprise_doitnowmessage', '', $importnowstring));
 }

caf766507771

MDL-43146 enrol_imsenterprise: missing sesskey protection

https://github.com/moodle/moodleDan PoltawskiJan 28, 2014via ghsa

commit

2 files changed · +4 −2

enrol/imsenterprise/importnow.php+1 −0 modified

@@ -24,6 +24,7 @@
 require_once(dirname(dirname(dirname(__FILE__))) . '/config.php');
 require_login(0, false);
 require_capability('moodle/site:config', context_system::instance());
+require_sesskey();
 
 $site = get_site();

enrol/imsenterprise/settings.php+3 −2 modified

@@ -119,7 +119,8 @@
     $settings->add(new admin_setting_configcheckbox('enrol_imsenterprise/imscapitafix',
         get_string('usecapitafix', 'enrol_imsenterprise'), get_string('usecapitafix_desc', 'enrol_imsenterprise'), 0));
 
-    $importnowstring = get_string('aftersaving...', 'enrol_imsenterprise').' <a href="../enrol/imsenterprise/importnow.php">';
-    $importnowstring .= get_string('doitnow', 'enrol_imsenterprise').'</a>';
+    $importurl = new moodle_url('/enrol/imsenterprise/importnow.php', array('sesskey' => sesskey()));
+    $importnowstring = get_string('aftersaving...', 'enrol_imsenterprise').' ';
+    $importnowstring .= html_writer::link($importurl, get_string('doitnow', 'enrol_imsenterprise'));
     $settings->add(new admin_setting_heading('enrol_imsenterprise_doitnowmessage', '', $importnowstring));
 }

eee61675f042

MDL-43146 enrol_imsenterprise: missing sesskey protection

https://github.com/moodle/moodleDan PoltawskiJan 28, 2014via ghsa

commit

2 files changed · +4 −1

enrol/imsenterprise/importnow.php+1 −0 modified

@@ -2,6 +2,7 @@
 require_once(dirname(dirname(dirname(__FILE__))) . '/config.php');
 require_login(0, false);
 require_capability('moodle/site:config', context_system::instance());
+require_sesskey();
 
 $site = get_site();

enrol/imsenterprise/settings.php+3 −1 modified

@@ -83,6 +83,8 @@
 
     $settings->add(new admin_setting_configcheckbox('enrol_imsenterprise/imscapitafix', get_string('usecapitafix', 'enrol_imsenterprise'), get_string('usecapitafix_desc', 'enrol_imsenterprise'), 0));
 
-    $importnowstring = get_string('aftersaving...', 'enrol_imsenterprise').' <a href="../enrol/imsenterprise/importnow.php">'.get_string('doitnow', 'enrol_imsenterprise').'</a>';
+    $importurl = new moodle_url('/enrol/imsenterprise/importnow.php', array('sesskey' => sesskey()));
+    $importnowstring = get_string('aftersaving...', 'enrol_imsenterprise').' '.
+        html_writer::link($importurl, get_string('doitnow', 'enrol_imsenterprise'));
     $settings->add(new admin_setting_heading('enrol_imsenterprise_doitnowmessage', '', $importnowstring));
 }

ea8647b39ec9

MDL-43146 enrol_imsenterprise: missing sesskey protection

https://github.com/moodle/moodleDan PoltawskiJan 28, 2014via ghsa

commit

2 files changed · +4 −1

enrol/imsenterprise/importnow.php+1 −0 modified

@@ -2,6 +2,7 @@
 require_once(dirname(dirname(dirname(__FILE__))) . '/config.php');
 require_login(0, false);
 require_capability('moodle/site:config', context_system::instance());
+require_sesskey();
 
 $site = get_site();

enrol/imsenterprise/settings.php+3 −1 modified

@@ -94,6 +94,8 @@
 
     $settings->add(new admin_setting_configcheckbox('enrol_imsenterprise/imscapitafix', get_string('usecapitafix', 'enrol_imsenterprise'), get_string('usecapitafix_desc', 'enrol_imsenterprise'), 0));
 
-    $importnowstring = get_string('aftersaving...', 'enrol_imsenterprise').' <a href="../enrol/imsenterprise/importnow.php">'.get_string('doitnow', 'enrol_imsenterprise').'</a>';
+    $importurl = new moodle_url('/enrol/imsenterprise/importnow.php', array('sesskey' => sesskey()));
+    $importnowstring = get_string('aftersaving...', 'enrol_imsenterprise').' '.
+        html_writer::link($importurl, get_string('doitnow', 'enrol_imsenterprise'));
     $settings->add(new admin_setting_heading('enrol_imsenterprise_doitnowmessage', '', $importnowstring));
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4wvg-7886-83gvghsaADVISORY
moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2014-0126ghsaADVISORY
openwall.com/lists/oss-security/2014/03/17/1nvdWEB
github.com/moodle/moodle/commit/41a19bffeef0ee6b0560a5ff808fd4bd35075fa1ghsaWEB
github.com/moodle/moodle/commit/caf766507771e07c1752ece1f37a32b2b4f6d8b9ghsaWEB
github.com/moodle/moodle/commit/ea8647b39ec9cf1d73e04b05559bd12d97aa5229ghsaWEB
github.com/moodle/moodle/commit/eee61675f042a9ec89f8f6d219b4ded010198fe4ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000