Medium severity4.3NVD Advisory· Published Feb 22, 2016· Updated May 6, 2026

CVE-2015-5335

Description

Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics to an arbitrary hub URL.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	< 2.7.11	2.7.11
moodle/moodlePackagist	>= 2.8.0, < 2.8.9	2.8.9
moodle/moodlePackagist	>= 2.9.0, < 2.9.3	2.9.3

Affected products

Moodle/Moodle24 versions
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.6.11
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.2:*:*:*:*:*:*:*

Patches

4bb9e1ad8af1

MDL-51091 core_registration: session key check in registration.

https://github.com/moodle/moodleCameron BallNov 2, 2015via ghsa

commit

2 files changed · +3 −1

admin/registration/register.php+2 −0 modified

@@ -39,6 +39,8 @@
 require_once($CFG->dirroot . '/webservice/lib.php');
 require_once($CFG->dirroot . '/' . $CFG->admin . '/registration/lib.php');
 
+require_sesskey();
+
 $huburl = required_param('huburl', PARAM_URL);
 $huburl = rtrim($huburl, "/");

admin/settings/top.php+1 −1 modified

@@ -11,7 +11,7 @@
 $ADMIN->add('root', new admin_externalpage('adminnotifications', new lang_string('notifications'), "$CFG->wwwroot/$CFG->admin/index.php"));
 
 $ADMIN->add('root', new admin_externalpage('registrationmoodleorg', new lang_string('registration', 'admin'),
-        "$CFG->wwwroot/$CFG->admin/registration/register.php?huburl=" . HUB_MOODLEORGHUBURL . "&hubname=Moodle.org"));
+        "$CFG->wwwroot/$CFG->admin/registration/register.php?huburl=" . HUB_MOODLEORGHUBURL . "&hubname=Moodle.org&sesskey=" . sesskey()));
 $ADMIN->add('root', new admin_externalpage('registrationhub', new lang_string('registerwith', 'hub'),
         "$CFG->wwwroot/$CFG->admin/registration/register.php", 'moodle/site:config', true));
 $ADMIN->add('root', new admin_externalpage('registrationhubs', new lang_string('hubs', 'admin'),

77e072ebec68

MDL-51091 core_registration: session key check in registration.

https://github.com/moodle/moodleCameron BallNov 2, 2015via ghsa

commit

2 files changed · +3 −1

admin/registration/register.php+2 −0 modified

@@ -39,6 +39,8 @@
 require_once($CFG->dirroot . '/webservice/lib.php');
 require_once($CFG->dirroot . '/' . $CFG->admin . '/registration/lib.php');
 
+require_sesskey();
+
 $huburl = required_param('huburl', PARAM_URL);
 $huburl = rtrim($huburl, "/");

admin/settings/top.php+1 −1 modified

@@ -11,7 +11,7 @@
 $ADMIN->add('root', new admin_externalpage('adminnotifications', new lang_string('notifications'), "$CFG->wwwroot/$CFG->admin/index.php"));
 
 $ADMIN->add('root', new admin_externalpage('registrationmoodleorg', new lang_string('registration', 'admin'),
-        "$CFG->wwwroot/$CFG->admin/registration/register.php?huburl=" . HUB_MOODLEORGHUBURL . "&hubname=Moodle.org"));
+        "$CFG->wwwroot/$CFG->admin/registration/register.php?huburl=" . HUB_MOODLEORGHUBURL . "&hubname=Moodle.org&sesskey=" . sesskey()));
 $ADMIN->add('root', new admin_externalpage('registrationhub', new lang_string('registerwith', 'hub'),
         "$CFG->wwwroot/$CFG->admin/registration/register.php", 'moodle/site:config', true));
 $ADMIN->add('root', new admin_externalpage('registrationhubs', new lang_string('hubs', 'admin'),

7bf5c6a542ef

MDL-51091 core_registration: session key check in registration.

https://github.com/moodle/moodleCameron BallNov 2, 2015via ghsa

commit

2 files changed · +3 −1

admin/registration/register.php+2 −0 modified

@@ -39,6 +39,8 @@
 require_once($CFG->dirroot . '/webservice/lib.php');
 require_once($CFG->dirroot . '/' . $CFG->admin . '/registration/lib.php');
 
+require_sesskey();
+
 $huburl = required_param('huburl', PARAM_URL);
 $huburl = rtrim($huburl, "/");

admin/settings/top.php+1 −1 modified

@@ -11,7 +11,7 @@
 $ADMIN->add('root', new admin_externalpage('adminnotifications', new lang_string('notifications'), "$CFG->wwwroot/$CFG->admin/index.php"));
 
 $ADMIN->add('root', new admin_externalpage('registrationmoodleorg', new lang_string('registration', 'admin'),
-        "$CFG->wwwroot/$CFG->admin/registration/register.php?huburl=" . HUB_MOODLEORGHUBURL . "&hubname=Moodle.org"));
+        "$CFG->wwwroot/$CFG->admin/registration/register.php?huburl=" . HUB_MOODLEORGHUBURL . "&hubname=Moodle.org&sesskey=" . sesskey()));
 $ADMIN->add('root', new admin_externalpage('registrationhub', new lang_string('registerwith', 'hub'),
         "$CFG->wwwroot/$CFG->admin/registration/register.php", 'moodle/site:config', true));
 $ADMIN->add('root', new admin_externalpage('registrationhubs', new lang_string('hubs', 'admin'),

a1168a7427f8

MDL-51091 core_registration: session key check in registration.

https://github.com/moodle/moodleCameron BallNov 2, 2015via ghsa

commit

2 files changed · +3 −1

admin/registration/register.php+2 −0 modified

@@ -39,6 +39,8 @@
 require_once($CFG->dirroot . '/webservice/lib.php');
 require_once($CFG->dirroot . '/' . $CFG->admin . '/registration/lib.php');
 
+require_sesskey();
+
 $huburl = required_param('huburl', PARAM_URL);
 $huburl = rtrim($huburl, "/");

admin/settings/top.php+1 −1 modified

@@ -11,7 +11,7 @@
 $ADMIN->add('root', new admin_externalpage('adminnotifications', new lang_string('notifications'), "$CFG->wwwroot/$CFG->admin/index.php"));
 
 $ADMIN->add('root', new admin_externalpage('registrationmoodleorg', new lang_string('registration', 'admin'),
-        "$CFG->wwwroot/$CFG->admin/registration/register.php?huburl=" . HUB_MOODLEORGHUBURL . "&hubname=Moodle.org"));
+        "$CFG->wwwroot/$CFG->admin/registration/register.php?huburl=" . HUB_MOODLEORGHUBURL . "&hubname=Moodle.org&sesskey=" . sesskey()));
 $ADMIN->add('root', new admin_externalpage('registrationhub', new lang_string('registerwith', 'hub'),
         "$CFG->wwwroot/$CFG->admin/registration/register.php", 'moodle/site:config', true));
 $ADMIN->add('root', new admin_externalpage('registrationhubs', new lang_string('hubs', 'admin'),

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hpmv-wvq3-gj27ghsaADVISORY
moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2015-5335ghsaADVISORY
github.com/moodle/moodle/commit/4bb9e1ad8af12b01499c68543e80f7c12fd557eaghsaWEB
github.com/moodle/moodle/commit/77e072ebec68ba685551b886b71054d1feae6c94ghsaWEB
github.com/moodle/moodle/commit/7bf5c6a542efa113dbb241a113cb6079f0572443ghsaWEB
github.com/moodle/moodle/commit/a1168a7427f8fa1926a771fe8e6d10aeb6689686ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000