High severity8.8NVD Advisory· Published Feb 22, 2016· Updated May 6, 2026

CVE-2015-5338

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	< 2.7.11	2.7.11
moodle/moodlePackagist	>= 2.8.0, < 2.8.9	2.8.9
moodle/moodlePackagist	>= 2.9.0, < 2.9.3	2.9.3

Affected products

Moodle/Moodle24 versions
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.6.11
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.2:*:*:*:*:*:*:*

Patches

dcb42c9ed13b

MDL-48109 mod_lesson: prevent CSRF on lesson

https://github.com/moodle/moodleSimey LamezeSep 14, 2015via ghsa

commit

3 files changed · +3 −0

mod/lesson/mediafile.php+1 −0 modified

@@ -84,6 +84,7 @@
     } else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
         $correctpass = false;
         if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
+            require_sesskey();
             // with or without md5 for backward compatibility (MDL-11090)
             $USER->lessonloggedin[$lesson->id] = true;
             if ($lesson->highscores) {

mod/lesson/renderer.php+1 −0 modified

@@ -113,6 +113,7 @@ public function login_prompt(lesson $lesson, $failedattempt = false) {
         $output .=  '<form id="password" method="post" action="'.$CFG->wwwroot.'/mod/lesson/view.php" autocomplete="off">';
         $output .=  '<fieldset class="invisiblefieldset center">';
         $output .=  '<input type="hidden" name="id" value="'. $this->page->cm->id .'" />';
+        $output .=  '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
         if ($failedattempt) {
             $output .=  $this->output->notification(get_string('loginfail', 'lesson'));
         }

mod/lesson/view.php+1 −0 modified

@@ -83,6 +83,7 @@
     } else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
         $correctpass = false;
         if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
+            require_sesskey();
             // with or without md5 for backward compatibility (MDL-11090)
             $USER->lessonloggedin[$lesson->id] = true;
             if ($lesson->highscores) {

f75333766c72

MDL-48109 mod_lesson: prevent CSRF on lesson

https://github.com/moodle/moodleSimey LamezeSep 14, 2015via ghsa

commit

3 files changed · +3 −0

mod/lesson/mediafile.php+1 −0 modified

@@ -84,6 +84,7 @@
     } else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
         $correctpass = false;
         if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
+            require_sesskey();
             // with or without md5 for backward compatibility (MDL-11090)
             $USER->lessonloggedin[$lesson->id] = true;
             if ($lesson->highscores) {

mod/lesson/renderer.php+1 −0 modified

@@ -113,6 +113,7 @@ public function login_prompt(lesson $lesson, $failedattempt = false) {
         $output .=  '<form id="password" method="post" action="'.$CFG->wwwroot.'/mod/lesson/view.php" autocomplete="off">';
         $output .=  '<fieldset class="invisiblefieldset center">';
         $output .=  '<input type="hidden" name="id" value="'. $this->page->cm->id .'" />';
+        $output .=  '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
         if ($failedattempt) {
             $output .=  $this->output->notification(get_string('loginfail', 'lesson'));
         }

mod/lesson/view.php+1 −0 modified

@@ -83,6 +83,7 @@
     } else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
         $correctpass = false;
         if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
+            require_sesskey();
             // with or without md5 for backward compatibility (MDL-11090)
             $USER->lessonloggedin[$lesson->id] = true;
             if ($lesson->highscores) {

541c5b8552e0

MDL-48109 mod_lesson: prevent CSRF on password protected lesson

https://github.com/moodle/moodleSimey LamezeSep 10, 2015via ghsa

commit

3 files changed · +6 −0

mod/lesson/mediafile.php+2 −0 modified

@@ -87,13 +87,15 @@
     } else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
         $correctpass = false;
         if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
+            require_sesskey();
             // with or without md5 for backward compatibility (MDL-11090)
             $USER->lessonloggedin[$lesson->id] = true;
             $correctpass = true;
         } else if (isset($lesson->extrapasswords)) {
             // Group overrides may have additional passwords.
             foreach ($lesson->extrapasswords as $password) {
                 if (strcmp($password, md5(trim($userpassword))) === 0 || strcmp($password, trim($userpassword)) === 0) {
+                    require_sesskey();
                     $correctpass = true;
                     $USER->lessonloggedin[$lesson->id] = true;
                 }

mod/lesson/renderer.php+1 −0 modified

@@ -113,6 +113,7 @@ public function login_prompt(lesson $lesson, $failedattempt = false) {
         $output .=  '<form id="password" method="post" action="'.$CFG->wwwroot.'/mod/lesson/view.php" autocomplete="off">';
         $output .=  '<fieldset class="invisiblefieldset center">';
         $output .=  '<input type="hidden" name="id" value="'. $this->page->cm->id .'" />';
+        $output .=  '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
         if ($failedattempt) {
             $output .=  $this->output->notification(get_string('loginfail', 'lesson'));
         }

mod/lesson/view.php+3 −0 modified

@@ -86,14 +86,17 @@
     } else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
         $correctpass = false;
         if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
+            require_sesskey();
             // with or without md5 for backward compatibility (MDL-11090)
             $correctpass = true;
             $USER->lessonloggedin[$lesson->id] = true;
 
         } else if (isset($lesson->extrapasswords)) {
+
             // Group overrides may have additional passwords.
             foreach ($lesson->extrapasswords as $password) {
                 if (strcmp($password, md5(trim($userpassword))) === 0 || strcmp($password, trim($userpassword)) === 0) {
+                    require_sesskey();
                     $correctpass = true;
                     $USER->lessonloggedin[$lesson->id] = true;
                 }

817cae1ac7ca

MDL-48109 mod_lesson: prevent CSRF on password protected lesson

https://github.com/moodle/moodleSimey LamezeSep 10, 2015via ghsa

commit

3 files changed · +7 −0

mod/lesson/mediafile.php+2 −0 modified

@@ -88,6 +88,7 @@
     } else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
         $correctpass = false;
         if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
+            require_sesskey();
             // with or without md5 for backward compatibility (MDL-11090)
             $USER->lessonloggedin[$lesson->id] = true;
             $correctpass = true;
@@ -99,6 +100,7 @@
             // Group overrides may have additional passwords.
             foreach ($lesson->extrapasswords as $password) {
                 if (strcmp($password, md5(trim($userpassword))) === 0 || strcmp($password, trim($userpassword)) === 0) {
+                    require_sesskey();
                     $correctpass = true;
                     $USER->lessonloggedin[$lesson->id] = true;
                     if ($lesson->highscores) {

mod/lesson/renderer.php+1 −0 modified

@@ -113,6 +113,7 @@ public function login_prompt(lesson $lesson, $failedattempt = false) {
         $output .=  '<form id="password" method="post" action="'.$CFG->wwwroot.'/mod/lesson/view.php" autocomplete="off">';
         $output .=  '<fieldset class="invisiblefieldset center">';
         $output .=  '<input type="hidden" name="id" value="'. $this->page->cm->id .'" />';
+        $output .=  '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
         if ($failedattempt) {
             $output .=  $this->output->notification(get_string('loginfail', 'lesson'));
         }

mod/lesson/view.php+4 −0 modified

@@ -87,6 +87,8 @@
     } else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
         $correctpass = false;
         if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
+            require_sesskey();
+
             // with or without md5 for backward compatibility (MDL-11090)
             $correctpass = true;
             $USER->lessonloggedin[$lesson->id] = true;
@@ -95,9 +97,11 @@
                 redirect("$CFG->wwwroot/mod/lesson/view.php?id=$cm->id");
             }
         } else if (isset($lesson->extrapasswords)) {
+
             // Group overrides may have additional passwords.
             foreach ($lesson->extrapasswords as $password) {
                 if (strcmp($password, md5(trim($userpassword))) === 0 || strcmp($password, trim($userpassword)) === 0) {
+                    require_sesskey();
                     $correctpass = true;
                     $USER->lessonloggedin[$lesson->id] = true;
                     if ($lesson->highscores) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-v33x-q8gh-4x42ghsaADVISORY
moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2015-5338ghsaADVISORY
github.com/moodle/moodle/commit/541c5b8552e0162010d0259c90a04eb63e875958ghsaWEB
github.com/moodle/moodle/commit/817cae1ac7ca748ba368439a40ef67d555774485ghsaWEB
github.com/moodle/moodle/commit/dcb42c9ed13b0c0ec2dde22b62ef69772d7725e6ghsaWEB
github.com/moodle/moodle/commit/f75333766c7295932baa72a9dbe9542baf14e107ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000