Moderate severityNVD Advisory· Published Nov 24, 2014· Updated May 6, 2026
CVE-2014-7838
CVE-2014-7838
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.5.9 | 2.5.9 |
moodle/moodlePackagist | >= 2.6.0, < 2.6.6 | 2.6.6 |
moodle/moodlePackagist | >= 2.7.0, < 2.7.3 | 2.7.3 |
Affected products
19cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.4.11
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
Patches
4545eb1bcfdbfMDL-48019 mod_forum: Add sesskey checks when setting tracking prefs
4 files changed · +15 −10
mod/forum/forum.js+1 −1 modified@@ -13,7 +13,7 @@ function forum_produce_tracking_link(forumid, ltext, ltitle) { var elementid = "trackinglink"; var subs_link = document.getElementById(elementid); if(subs_link){ - subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"'>"+ltext+"<\/a>"; + subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"&sesskey="+M.cfg.sesskey+"'>"+ltext+"<\/a>"; } }
mod/forum/index.php+4 −1 modified@@ -235,7 +235,10 @@ } else if ($forum->trackingtype === FORUM_TRACKING_OFF || ($USER->trackforums == 0)) { $trackedlink = '-'; } else { - $aurl = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id)); + $aurl = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forum->id, + 'sesskey' => sesskey(), + )); if (!isset($untracked[$forum->id])) { $trackedlink = $OUTPUT->single_button($aurl, $stryes, 'post', array('title'=>$strnotrackforum)); } else {
mod/forum/lib.php+8 −2 modified@@ -5066,7 +5066,10 @@ function forum_get_tracking_link($forum, $messages=array(), $fakelink=true) { // use <noscript> to print button in case javascript is not enabled $link .= '<noscript>'; } - $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id)); + $url = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forum->id, + 'sesskey' => sesskey(), + )); $link .= $OUTPUT->single_button($url, $linktext, 'get', array('title'=>$linktitle)); if ($fakelink) { @@ -7806,7 +7809,10 @@ function forum_extend_settings_navigation(settings_navigation $settingsnav, navi } else { $linktext = get_string('trackforum', 'forum'); } - $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forumobject->id)); + $url = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forumobject->id, + 'sesskey' => sesskey(), + )); $forumnode->add($linktext, $url, navigation_node::TYPE_SETTING); } }
mod/forum/settracking.php+2 −6 modified@@ -29,11 +29,7 @@ $id = required_param('id',PARAM_INT); // The forum to subscribe or unsubscribe to $returnpage = optional_param('returnpage', 'index.php', PARAM_FILE); // Page to return to. -$url = new moodle_url('/mod/forum/settracking.php', array('id'=>$id)); -if ($returnpage !== 'index.php') { - $url->param('returnpage', $returnpage); -} -$PAGE->set_url($url); +require_sesskey(); if (! $forum = $DB->get_record("forum", array("id" => $id))) { print_error('invalidforumid', 'forum'); @@ -47,7 +43,7 @@ print_error('invalidcoursemodule'); } -require_course_login($course, false, $cm); +require_login($course, false, $cm); $returnto = forum_go_back_to($returnpage.'?id='.$course->id.'&f='.$forum->id);
bef4a5e01739MDL-48019 mod_forum: Add sesskey checks when setting tracking prefs
4 files changed · +15 −10
mod/forum/forum.js+1 −1 modified@@ -13,7 +13,7 @@ function forum_produce_tracking_link(forumid, ltext, ltitle) { var elementid = "trackinglink"; var subs_link = document.getElementById(elementid); if(subs_link){ - subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"'>"+ltext+"<\/a>"; + subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"&sesskey="+M.cfg.sesskey+"'>"+ltext+"<\/a>"; } }
mod/forum/index.php+4 −1 modified@@ -217,7 +217,10 @@ $trackedlink = $stryes; } else { - $aurl = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id)); + $aurl = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forum->id, + 'sesskey' => sesskey(), + )); if (!isset($untracked[$forum->id])) { $trackedlink = $OUTPUT->single_button($aurl, $stryes, 'post', array('title'=>$strnotrackforum)); } else {
mod/forum/lib.php+8 −2 modified@@ -4975,7 +4975,10 @@ function forum_get_tracking_link($forum, $messages=array(), $fakelink=true) { // use <noscript> to print button in case javascript is not enabled $link .= '<noscript>'; } - $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id)); + $url = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forum->id, + 'sesskey' => sesskey(), + )); $link .= $OUTPUT->single_button($url, $linktext, 'get', array('title'=>$linktitle)); if ($fakelink) { @@ -7804,7 +7807,10 @@ function forum_extend_settings_navigation(settings_navigation $settingsnav, navi } else { $linktext = get_string('trackforum', 'forum'); } - $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forumobject->id)); + $url = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forumobject->id, + 'sesskey' => sesskey(), + )); $forumnode->add($linktext, $url, navigation_node::TYPE_SETTING); } }
mod/forum/settracking.php+2 −6 modified@@ -29,11 +29,7 @@ $id = required_param('id',PARAM_INT); // The forum to subscribe or unsubscribe to $returnpage = optional_param('returnpage', 'index.php', PARAM_FILE); // Page to return to. -$url = new moodle_url('/mod/forum/settracking.php', array('id'=>$id)); -if ($returnpage !== 'index.php') { - $url->param('returnpage', $returnpage); -} -$PAGE->set_url($url); +require_sesskey(); if (! $forum = $DB->get_record("forum", array("id" => $id))) { print_error('invalidforumid', 'forum'); @@ -47,7 +43,7 @@ print_error('invalidcoursemodule'); } -require_course_login($course, false, $cm); +require_login($course, false, $cm); $returnto = forum_go_back_to($returnpage.'?id='.$course->id.'&f='.$forum->id);
c812956efda7MDL-48019 mod_forum: Add sesskey checks when setting tracking prefs
4 files changed · +15 −10
mod/forum/forum.js+1 −1 modified@@ -13,7 +13,7 @@ function forum_produce_tracking_link(forumid, ltext, ltitle) { var elementid = "trackinglink"; var subs_link = document.getElementById(elementid); if(subs_link){ - subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"'>"+ltext+"<\/a>"; + subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"&sesskey="+M.cfg.sesskey+"'>"+ltext+"<\/a>"; } }
mod/forum/index.php+4 −1 modified@@ -238,7 +238,10 @@ } else if ($forum->trackingtype === FORUM_TRACKING_OFF || ($USER->trackforums == 0)) { $trackedlink = '-'; } else { - $aurl = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id)); + $aurl = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forum->id, + 'sesskey' => sesskey(), + )); if (!isset($untracked[$forum->id])) { $trackedlink = $OUTPUT->single_button($aurl, $stryes, 'post', array('title'=>$strnotrackforum)); } else {
mod/forum/lib.php+8 −2 modified@@ -5128,7 +5128,10 @@ function forum_get_tracking_link($forum, $messages=array(), $fakelink=true) { // use <noscript> to print button in case javascript is not enabled $link .= '<noscript>'; } - $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id)); + $url = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forum->id, + 'sesskey' => sesskey(), + )); $link .= $OUTPUT->single_button($url, $linktext, 'get', array('title'=>$linktitle)); if ($fakelink) { @@ -7882,7 +7885,10 @@ function forum_extend_settings_navigation(settings_navigation $settingsnav, navi } else { $linktext = get_string('trackforum', 'forum'); } - $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forumobject->id)); + $url = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forumobject->id, + 'sesskey' => sesskey(), + )); $forumnode->add($linktext, $url, navigation_node::TYPE_SETTING); } }
mod/forum/settracking.php+2 −6 modified@@ -29,11 +29,7 @@ $id = required_param('id',PARAM_INT); // The forum to subscribe or unsubscribe to $returnpage = optional_param('returnpage', 'index.php', PARAM_FILE); // Page to return to. -$url = new moodle_url('/mod/forum/settracking.php', array('id'=>$id)); -if ($returnpage !== 'index.php') { - $url->param('returnpage', $returnpage); -} -$PAGE->set_url($url); +require_sesskey(); if (! $forum = $DB->get_record("forum", array("id" => $id))) { print_error('invalidforumid', 'forum'); @@ -47,7 +43,7 @@ print_error('invalidcoursemodule'); } -require_course_login($course, false, $cm); +require_login($course, false, $cm); $returnto = forum_go_back_to($returnpage.'?id='.$course->id.'&f='.$forum->id);
7a311adbba94MDL-48019 mod_forum: Add sesskey checks when setting tracking prefs
5 files changed · +15 −11
mod/forum/deprecatedlib.php+4 −1 modified@@ -338,7 +338,10 @@ function forum_get_tracking_link($forum, $messages=array(), $fakelink=true) { // use <noscript> to print button in case javascript is not enabled $link .= '<noscript>'; } - $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id)); + $url = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forum->id, + 'sesskey' => sesskey(), + )); $link .= $OUTPUT->single_button($url, $linktext, 'get', array('title'=>$linktitle)); if ($fakelink) {
mod/forum/forum.js+1 −1 modified@@ -13,7 +13,7 @@ function forum_produce_tracking_link(forumid, ltext, ltitle) { var elementid = "trackinglink"; var subs_link = document.getElementById(elementid); if(subs_link){ - subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"'>"+ltext+"<\/a>"; + subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"&sesskey="+M.cfg.sesskey+"'>"+ltext+"<\/a>"; } }
mod/forum/index.php+4 −1 modified@@ -240,7 +240,10 @@ } else if ($forum->trackingtype === FORUM_TRACKING_OFF || ($USER->trackforums == 0)) { $trackedlink = '-'; } else { - $aurl = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id)); + $aurl = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forum->id, + 'sesskey' => sesskey(), + )); if (!isset($untracked[$forum->id])) { $trackedlink = $OUTPUT->single_button($aurl, $stryes, 'post', array('title'=>$strnotrackforum)); } else {
mod/forum/lib.php+4 −1 modified@@ -7107,7 +7107,10 @@ function forum_extend_settings_navigation(settings_navigation $settingsnav, navi } else { $linktext = get_string('trackforum', 'forum'); } - $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forumobject->id)); + $url = new moodle_url('/mod/forum/settracking.php', array( + 'id' => $forumobject->id, + 'sesskey' => sesskey(), + )); $forumnode->add($linktext, $url, navigation_node::TYPE_SETTING); } }
mod/forum/settracking.php+2 −7 modified@@ -29,11 +29,7 @@ $id = required_param('id',PARAM_INT); // The forum to subscribe or unsubscribe to $returnpage = optional_param('returnpage', 'index.php', PARAM_FILE); // Page to return to. -$url = new moodle_url('/mod/forum/settracking.php', array('id'=>$id)); -if ($returnpage !== 'index.php') { - $url->param('returnpage', $returnpage); -} -$PAGE->set_url($url); +require_sesskey(); if (! $forum = $DB->get_record("forum", array("id" => $id))) { print_error('invalidforumid', 'forum'); @@ -46,8 +42,7 @@ if (! $cm = get_coursemodule_from_instance("forum", $forum->id, $course->id)) { print_error('invalidcoursemodule'); } - -require_course_login($course, false, $cm); +require_login($course, false, $cm); $returnto = forum_go_back_to($returnpage.'?id='.$course->id.'&f='.$forum->id);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-43r4-vm25-qm78ghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2014-7838ghsaADVISORY
- openwall.com/lists/oss-security/2014/11/17/11nvdWEB
- github.com/moodle/moodle/commit/545eb1bcfdbfc352bf6c31edf440485ba6d5af42ghsaWEB
- github.com/moodle/moodle/commit/7a311adbba9471edb5a49e4c4b8c356c87f0e44bghsaWEB
- github.com/moodle/moodle/commit/bef4a5e01739f2b239c0910b9e1aa2841b979f7dghsaWEB
- github.com/moodle/moodle/commit/c812956efda7d10dfdce5ae19c0ec8879de38a31ghsaWEB
- web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215ghsaWEB
- www.securitytracker.com/id/1031215nvd
News mentions
0No linked articles in our index yet.