CVE-2014-0214
Description
login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.4.10 | 2.4.10 |
moodle/moodlePackagist | >= 2.5.0, < 2.5.6 | 2.5.6 |
moodle/moodlePackagist | >= 2.6.0, < 2.6.3 | 2.6.3 |
Patches
4b5b2eab6778bMDL-43119 Add valid until dates for tokens created by login/token.php
1 file changed · +2 −0
login/token.php+2 −0 modified@@ -160,6 +160,8 @@ $token->creatorid = $user->id; $token->timecreated = time(); $token->externalserviceid = $service_record->id; + // MDL-43119 Token valid for 3 months (12 weeks). + $token->validuntil = $token->timecreated + 12 * WEEKSECS; $tokenid = $DB->insert_record('external_tokens', $token); add_to_log(SITEID, 'webservice', 'automatically create user token', '' , 'User ID: ' . $user->id); $token->id = $tokenid;
679e323aaab2MDL-43119 Add valid until dates for tokens created by login/token.php
1 file changed · +2 −0
login/token.php+2 −0 modified@@ -160,6 +160,8 @@ $token->creatorid = $user->id; $token->timecreated = time(); $token->externalserviceid = $service_record->id; + // MDL-43119 Token valid for 3 months (12 weeks). + $token->validuntil = $token->timecreated + 12 * WEEKSECS; $token->id = $DB->insert_record('external_tokens', $token); $params = array(
14c16a416373MDL-43119 Add valid until dates for tokens created by login/token.php
1 file changed · +2 −0
login/token.php+2 −0 modified@@ -160,6 +160,8 @@ $token->creatorid = $user->id; $token->timecreated = time(); $token->externalserviceid = $service_record->id; + // MDL-43119 Token valid for 3 months (12 weeks). + $token->validuntil = $token->timecreated + 12 * WEEKSECS; $token->id = $DB->insert_record('external_tokens', $token); $params = array(
437240b5aa77MDL-43119 Add valid until dates for tokens created by login/token.php
1 file changed · +2 −0
login/token.php+2 −0 modified@@ -160,6 +160,8 @@ $token->creatorid = $user->id; $token->timecreated = time(); $token->externalserviceid = $service_record->id; + // MDL-43119 Token valid for 3 months (12 weeks). + $token->validuntil = $token->timecreated + 12 * WEEKSECS; $tokenid = $DB->insert_record('external_tokens', $token); add_to_log(SITEID, 'webservice', 'automatically create user token', '' , 'User ID: ' . $user->id); $token->id = $tokenid;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-48rq-vj58-2mh6ghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2014-0214ghsaADVISORY
- openwall.com/lists/oss-security/2014/05/19/1nvdWEB
- github.com/moodle/moodle/commit/14c16a416373f68c36b65f4653c0bd076eb0b290ghsaWEB
- github.com/moodle/moodle/commit/437240b5aa7719f1b8cce1e0f45ac0708c72cc23ghsaWEB
- github.com/moodle/moodle/commit/679e323aaab2a968b8e87862e1658814645db525ghsaWEB
- github.com/moodle/moodle/commit/b5b2eab6778bee166e20bc5eec0138d89795ac3dghsaWEB
News mentions
0No linked articles in our index yet.