High severity7.4NVD Advisory· Published Feb 22, 2016· Updated May 6, 2026
CVE-2015-3272
CVE-2015-3272
Description
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 2.7.0, < 2.7.9 | 2.7.9 |
moodle/moodlePackagist | >= 2.8.0, < 2.8.7 | 2.8.7 |
moodle/moodlePackagist | >= 2.9.0, < 2.9.1 | 2.9.1 |
Affected products
28cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
Patches
49580c08e9e4eMDL-50688 lib: fix local url validation bug
1 file changed · +7 −3
lib/moodlelib.php+7 −3 modified@@ -1036,11 +1036,15 @@ function clean_param($param, $type) { // Simulate the HTTPS version of the site. $httpswwwroot = str_replace('http://', 'https://', $CFG->wwwroot); - if (preg_match(':^/:', $param)) { + if ($param === $CFG->wwwroot) { + // Exact match; + } else if (!empty($CFG->loginhttps) && $param === $httpswwwroot) { + // Exact match; + } else if (preg_match(':^/:', $param)) { // Root-relative, ok! - } else if (preg_match('/^' . preg_quote($CFG->wwwroot, '/') . '/i', $param)) { + } else if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) { // Absolute, and matches our wwwroot. - } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot, '/') . '/i', $param)) { + } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot . '/', '/') . '/i', $param)) { // Absolute, and matches our httpswwwroot. } else { // Relative - let's make sure there are no tricks.
5c1f41f0583eMDL-50688 lib: fix local url validation bug
1 file changed · +7 −3
lib/moodlelib.php+7 −3 modified@@ -1033,11 +1033,15 @@ function clean_param($param, $type) { // Simulate the HTTPS version of the site. $httpswwwroot = str_replace('http://', 'https://', $CFG->wwwroot); - if (preg_match(':^/:', $param)) { + if ($param === $CFG->wwwroot) { + // Exact match; + } else if (!empty($CFG->loginhttps) && $param === $httpswwwroot) { + // Exact match; + } else if (preg_match(':^/:', $param)) { // Root-relative, ok! - } else if (preg_match('/^' . preg_quote($CFG->wwwroot, '/') . '/i', $param)) { + } else if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) { // Absolute, and matches our wwwroot. - } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot, '/') . '/i', $param)) { + } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot . '/', '/') . '/i', $param)) { // Absolute, and matches our httpswwwroot. } else { // Relative - let's make sure there are no tricks.
5673aae91407MDL-50688 lib: fix local url validation bug
1 file changed · +7 −3
lib/moodlelib.php+7 −3 modified@@ -1033,11 +1033,15 @@ function clean_param($param, $type) { // Simulate the HTTPS version of the site. $httpswwwroot = str_replace('http://', 'https://', $CFG->wwwroot); - if (preg_match(':^/:', $param)) { + if ($param === $CFG->wwwroot) { + // Exact match; + } else if (!empty($CFG->loginhttps) && $param === $httpswwwroot) { + // Exact match; + } else if (preg_match(':^/:', $param)) { // Root-relative, ok! - } else if (preg_match('/^' . preg_quote($CFG->wwwroot, '/') . '/i', $param)) { + } else if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) { // Absolute, and matches our wwwroot. - } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot, '/') . '/i', $param)) { + } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot . '/', '/') . '/i', $param)) { // Absolute, and matches our httpswwwroot. } else { // Relative - let's make sure there are no tricks.
980bd08bdc01MDL-50688 lib: fix local url validation bug
1 file changed · +7 −3
lib/moodlelib.php+7 −3 modified@@ -1036,11 +1036,15 @@ function clean_param($param, $type) { // Simulate the HTTPS version of the site. $httpswwwroot = str_replace('http://', 'https://', $CFG->wwwroot); - if (preg_match(':^/:', $param)) { + if ($param === $CFG->wwwroot) { + // Exact match; + } else if (!empty($CFG->loginhttps) && $param === $httpswwwroot) { + // Exact match; + } else if (preg_match(':^/:', $param)) { // Root-relative, ok! - } else if (preg_match('/^' . preg_quote($CFG->wwwroot, '/') . '/i', $param)) { + } else if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) { // Absolute, and matches our wwwroot. - } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot, '/') . '/i', $param)) { + } else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot . '/', '/') . '/i', $param)) { // Absolute, and matches our httpswwwroot. } else { // Relative - let's make sure there are no tricks.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-2hw2-h3mf-c2j9ghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-3272ghsaADVISORY
- openwall.com/lists/oss-security/2015/07/13/2nvdWEB
- github.com/moodle/moodle/commit/5673aae914070fa93b861a39f6bb3eae2f79bbc2ghsaWEB
- github.com/moodle/moodle/commit/5c1f41f0583e9174ead1530f93dc4b260d8036d5ghsaWEB
- github.com/moodle/moodle/commit/9580c08e9e4e5e80606d46aea2014f83f863534fghsaWEB
- github.com/moodle/moodle/commit/980bd08bdc01586bf8b5d407b049645ea6ff1174ghsaWEB
- web.archive.org/web/20150924032214/http://www.securitytracker.com/id/1032877ghsaWEB
- www.securitytracker.com/id/1032877nvd
News mentions
0No linked articles in our index yet.