Moderate severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026

CVE-2015-2266

Description

message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	< 2.6.9	2.6.9
moodle/moodlePackagist	>= 2.7.0, < 2.7.6	2.7.6
moodle/moodlePackagist	>= 2.8.0, < 2.8.4	2.8.4

Affected products

Moodle/Moodle29 versions
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 28 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.5.9
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*

Patches

2924ba1c73f9

MDL-49204 core_message: Checking current user

https://github.com/moodle/moodleDavid MonllaoMar 3, 2015via ghsa

commit

1 file changed · +1 −3

message/index.php+1 −3 modified

@@ -114,9 +114,7 @@
 $showactionlinks = $showactionlinks && $user2realuser;
 $systemcontext = context_system::instance();
 
-// Is the user involved in the conversation?
-// Do they have the ability to read other user's conversations?
-if (!message_current_user_is_involved($user1, $user2) && !has_capability('moodle/site:readallmessages', $systemcontext)) {
+if ($currentuser === false && !has_capability('moodle/site:readallmessages', $systemcontext)) {
     print_error('accessdenied','admin');
 }

553319be03c4

MDL-49204 core_message: Checking current user

https://github.com/moodle/moodleDavid MonllaoMar 3, 2015via ghsa

commit

1 file changed · +1 −3

message/index.php+1 −3 modified

@@ -114,9 +114,7 @@
 $showactionlinks = $showactionlinks && $user2realuser;
 $systemcontext = context_system::instance();
 
-// Is the user involved in the conversation?
-// Do they have the ability to read other user's conversations?
-if (!message_current_user_is_involved($user1, $user2) && !has_capability('moodle/site:readallmessages', $systemcontext)) {
+if ($currentuser === false && !has_capability('moodle/site:readallmessages', $systemcontext)) {
     print_error('accessdenied','admin');
 }

c35df119a560

MDL-49204 core_message: Checking current user

https://github.com/moodle/moodleDavid MonllaoMar 3, 2015via ghsa

commit

1 file changed · +1 −3

message/index.php+1 −3 modified

@@ -114,9 +114,7 @@
 $showactionlinks = $showactionlinks && $user2realuser;
 $systemcontext = context_system::instance();
 
-// Is the user involved in the conversation?
-// Do they have the ability to read other user's conversations?
-if (!message_current_user_is_involved($user1, $user2) && !has_capability('moodle/site:readallmessages', $systemcontext)) {
+if ($currentuser === false && !has_capability('moodle/site:readallmessages', $systemcontext)) {
     print_error('accessdenied','admin');
 }

eb45017b61e3

MDL-49204 core_message: Checking current user

https://github.com/moodle/moodleDavid MonllaoMar 3, 2015via ghsa

commit

1 file changed · +1 −3

message/index.php+1 −3 modified

@@ -114,9 +114,7 @@
 $showactionlinks = $showactionlinks && $user2realuser;
 $systemcontext = context_system::instance();
 
-// Is the user involved in the conversation?
-// Do they have the ability to read other user's conversations?
-if (!message_current_user_is_involved($user1, $user2) && !has_capability('moodle/site:readallmessages', $systemcontext)) {
+if ($currentuser === false && !has_capability('moodle/site:readallmessages', $systemcontext)) {
     print_error('accessdenied','admin');
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-35pr-gqm6-r366ghsaADVISORY
moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2015-2266ghsaADVISORY
openwall.com/lists/oss-security/2015/03/16/1nvdWEB
github.com/moodle/moodle/commit/2924ba1c73f9ed3d525987807f9d289b3eb38154ghsaWEB
github.com/moodle/moodle/commit/553319be03c4ef8e62499841c8d5d94c6786ed6dghsaWEB
github.com/moodle/moodle/commit/c35df119a560e22d9e17f833b736b710b96431d9ghsaWEB
github.com/moodle/moodle/commit/eb45017b61e35bcab8c35e2c544b1e4144ca1f16ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000