VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026

CVE-2015-0215

CVE-2015-0215

Description

calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
< 2.6.72.6.7
moodle/moodlePackagist
>= 2.7.0, < 2.7.42.7.4
moodle/moodlePackagist
>= 2.8.0, < 2.8.22.8.2

Affected products

22
  • Moodle/Moodle22 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.5.9
    • cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*

Patches

4
5770e5147838

MDL-48106 mod_glossary: Add missing sesskey checks

https://github.com/moodle/moodleAndrew NicolsNov 20, 2014via ghsa
commit
2 files changed · +5 0
  • mod/glossary/editcategories.html+1 0 modified
    @@ -33,6 +33,7 @@
 <tr>
 <td colspan="2">
     <div class="buttons">
+    <input type="hidden" name="sesskey" value="<?php echo sesskey(); ?>" />
     <input type="hidden" name="id" value="<?php p($cm->id) ?>" />
     <input type="hidden" name="action" value="<?php p($action) ?>" />
     <input type="hidden" name="confirm" value="1" />
  • mod/glossary/editcategories.php+4 0 modified
    @@ -95,6 +95,7 @@
 
     if ( $action == "edit" ) {
         if ( $confirm ) {
+            require_sesskey();
             $action = "";
             $cat = new stdClass();
             $cat->id = $hook;
@@ -128,6 +129,7 @@
 
     } elseif ( $action == "delete" ) {
         if ( $confirm ) {
+            require_sesskey();
             $DB->delete_records("glossary_entries_categories", array("categoryid"=>$hook));
             $DB->delete_records("glossary_categories", array("id"=>$hook));
 
@@ -165,6 +167,7 @@
                         <td align="$rightalignment" style="width:50%">
                         <form id="form" method="post" action="editcategories.php">
                         <div>
+                        <input type="hidden" name="sesskey"     value="<?php echo sesskey(); ?>" />
                         <input type="hidden" name="id"          value="<?php p($cm->id) ?>" />
                         <input type="hidden" name="action"      value="delete" />
                         <input type="hidden" name="confirm"     value="1" />
@@ -188,6 +191,7 @@
 
 } elseif ( $action == "add" ) {
     if ( $confirm ) {
+        require_sesskey();
         $dupcategory = $DB->get_records_sql("SELECT * FROM {glossary_categories} WHERE ".$DB->sql_like('name','?', false)." AND glossaryid=?", array($name, $glossary->id));
         if ( $dupcategory ) {
             redirect("editcategories.php?id=$cm->id&amp;action=add&amp;name=$name", get_string("duplicatecategory", "glossary"), 2);
c4250ef4f237

MDL-48106 mod_glossary: Add missing sesskey checks

https://github.com/moodle/moodleAndrew NicolsNov 20, 2014via ghsa
commit
2 files changed · +5 0
  • mod/glossary/editcategories.html+1 0 modified
    @@ -33,6 +33,7 @@
 <tr>
 <td colspan="2">
     <div class="buttons">
+    <input type="hidden" name="sesskey" value="<?php echo sesskey(); ?>" />
     <input type="hidden" name="id" value="<?php p($cm->id) ?>" />
     <input type="hidden" name="action" value="<?php p($action) ?>" />
     <input type="hidden" name="confirm" value="1" />
  • mod/glossary/editcategories.php+4 0 modified
    @@ -95,6 +95,7 @@
 
     if ( $action == "edit" ) {
         if ( $confirm ) {
+            require_sesskey();
             $action = "";
             $cat = new stdClass();
             $cat->id = $hook;
@@ -128,6 +129,7 @@
 
     } elseif ( $action == "delete" ) {
         if ( $confirm ) {
+            require_sesskey();
             $DB->delete_records("glossary_entries_categories", array("categoryid"=>$hook));
             $DB->delete_records("glossary_categories", array("id"=>$hook));
 
@@ -165,6 +167,7 @@
                         <td align="$rightalignment" style="width:50%">
                         <form id="form" method="post" action="editcategories.php">
                         <div>
+                        <input type="hidden" name="sesskey"     value="<?php echo sesskey(); ?>" />
                         <input type="hidden" name="id"          value="<?php p($cm->id) ?>" />
                         <input type="hidden" name="action"      value="delete" />
                         <input type="hidden" name="confirm"     value="1" />
@@ -188,6 +191,7 @@
 
 } elseif ( $action == "add" ) {
     if ( $confirm ) {
+        require_sesskey();
         $dupcategory = $DB->get_records_sql("SELECT * FROM {glossary_categories} WHERE ".$DB->sql_like('name','?', false)." AND glossaryid=?", array($name, $glossary->id));
         if ( $dupcategory ) {
             redirect("editcategories.php?id=$cm->id&amp;action=add&amp;name=$name", get_string("duplicatecategory", "glossary"), 2);
e83c756f84e1

MDL-48106 mod_glossary: Add missing sesskey checks

https://github.com/moodle/moodleAndrew NicolsNov 20, 2014via ghsa
commit
2 files changed · +5 0
  • mod/glossary/editcategories.html+1 0 modified
    @@ -33,6 +33,7 @@
 <tr>
 <td colspan="2">
     <div class="buttons">
+    <input type="hidden" name="sesskey" value="<?php echo sesskey(); ?>" />
     <input type="hidden" name="id" value="<?php p($cm->id) ?>" />
     <input type="hidden" name="action" value="<?php p($action) ?>" />
     <input type="hidden" name="confirm" value="1" />
  • mod/glossary/editcategories.php+4 0 modified
    @@ -95,6 +95,7 @@
 
     if ( $action == "edit" ) {
         if ( $confirm ) {
+            require_sesskey();
             $action = "";
             $cat = new stdClass();
             $cat->id = $hook;
@@ -118,6 +119,7 @@
 
     } elseif ( $action == "delete" ) {
         if ( $confirm ) {
+            require_sesskey();
             $DB->delete_records("glossary_entries_categories", array("categoryid"=>$hook));
             $DB->delete_records("glossary_categories", array("id"=>$hook));
 
@@ -146,6 +148,7 @@
                         <td align="$rightalignment" style="width:50%">
                         <form id="form" method="post" action="editcategories.php">
                         <div>
+                        <input type="hidden" name="sesskey"     value="<?php echo sesskey(); ?>" />
                         <input type="hidden" name="id"          value="<?php p($cm->id) ?>" />
                         <input type="hidden" name="action"      value="delete" />
                         <input type="hidden" name="confirm"     value="1" />
@@ -169,6 +172,7 @@
 
 } elseif ( $action == "add" ) {
     if ( $confirm ) {
+        require_sesskey();
         $dupcategory = $DB->get_records_sql("SELECT * FROM {glossary_categories} WHERE ".$DB->sql_like('name','?', false)." AND glossaryid=?", array($name, $glossary->id));
         if ( $dupcategory ) {
             redirect("editcategories.php?id=$cm->id&amp;action=add&amp;name=$name", get_string("duplicatecategory", "glossary"), 2);
76aea854f687

MDL-48017 core_calendar: add context validation to get_calendar_events

https://github.com/moodle/moodleSimey LamezeNov 14, 2014via ghsa
commit
1 file changed · +11 5
  • calendar/externallib.php+11 5 modified
    @@ -173,13 +173,19 @@ public static function get_calendar_events($events = array(), $options = array()
 
         // Let us findout courses that we can return events from.
         if (!$hassystemcap) {
-            $courses = enrol_get_my_courses();
-            $courses = array_keys($courses);
             foreach ($params['events']['courseids'] as $id) {
-                if (in_array($id, $courses)) {
+               try {
+                    $context = context_course::instance($id);
+                    self::validate_context($context);
                     $funcparam['courses'][] = $id;
-                } else {
-                    $warnings[] = array('item' => $id, 'warningcode' => 'nopermissions', 'message' => 'you do not have permissions to access this course');
+                } catch (Exception $e) {
+                    $warnings[] = array(
+                        'item' => 'course',
+                        'itemid' => $id,
+                        'warningcode' => 'nopermissions',
+                        'message' => 'No access rights in course context '.$e->getMessage().$e->getTraceAsString()
+                    );
+                    continue;
                 }
             }
         } else {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.