High severity8.8NVD Advisory· Published May 22, 2016· Updated May 6, 2026
CVE-2016-2157
CVE-2016-2157
Description
Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.7.13 | 2.7.13 |
moodle/moodlePackagist | >= 2.8.0, < 2.8.11 | 2.8.11 |
moodle/moodlePackagist | >= 2.9.0, < 2.9.5 | 2.9.5 |
moodle/moodlePackagist | >= 3.0.0, < 3.0.3 | 3.0.3 |
Affected products
33cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 32 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.6.11
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.2:*:*:*:*:*:*:*
Patches
501b19e761f94MDL-53031 mod_assign: add session check on assignment plugins management
1 file changed · +10 −3
mod/assign/adminmanageplugins.php+10 −3 modified@@ -25,11 +25,18 @@ require_once(dirname(__FILE__) . '/../../config.php'); require_once($CFG->dirroot.'/mod/assign/adminlib.php'); +$subtype = required_param('subtype', PARAM_PLUGIN); +$action = optional_param('action', null, PARAM_PLUGIN); +$plugin = optional_param('plugin', null, PARAM_PLUGIN); + +if (!empty($plugin)) { + require_sesskey(); +} + // Create the class for this controller. -$pluginmanager = new assign_plugin_manager(required_param('subtype', PARAM_PLUGIN)); +$pluginmanager = new assign_plugin_manager($subtype); $PAGE->set_context(context_system::instance()); // Execute the controller. -$pluginmanager->execute(optional_param('action', null, PARAM_PLUGIN), - optional_param('plugin', null, PARAM_PLUGIN)); +$pluginmanager->execute($action, $plugin);
1452f1e1d37dMDL-53031 mod_assign: add session check on assignment plugins management
1 file changed · +10 −3
mod/assign/adminmanageplugins.php+10 −3 modified@@ -25,11 +25,18 @@ require_once(dirname(__FILE__) . '/../../config.php'); require_once($CFG->dirroot.'/mod/assign/adminlib.php'); +$subtype = required_param('subtype', PARAM_PLUGIN); +$action = optional_param('action', null, PARAM_PLUGIN); +$plugin = optional_param('plugin', null, PARAM_PLUGIN); + +if (!empty($plugin)) { + require_sesskey(); +} + // Create the class for this controller. -$pluginmanager = new assign_plugin_manager(required_param('subtype', PARAM_PLUGIN)); +$pluginmanager = new assign_plugin_manager($subtype); $PAGE->set_context(context_system::instance()); // Execute the controller. -$pluginmanager->execute(optional_param('action', null, PARAM_PLUGIN), - optional_param('plugin', null, PARAM_PLUGIN)); +$pluginmanager->execute($action, $plugin);
55ba3a26d271MDL-53031 mod_assign: add session check on assignment plugins management
1 file changed · +10 −3
mod/assign/adminmanageplugins.php+10 −3 modified@@ -25,11 +25,18 @@ require_once(dirname(__FILE__) . '/../../config.php'); require_once($CFG->dirroot.'/mod/assign/adminlib.php'); +$subtype = required_param('subtype', PARAM_PLUGIN); +$action = optional_param('action', null, PARAM_PLUGIN); +$plugin = optional_param('plugin', null, PARAM_PLUGIN); + +if (!empty($plugin)) { + require_sesskey(); +} + // Create the class for this controller. -$pluginmanager = new assign_plugin_manager(required_param('subtype', PARAM_PLUGIN)); +$pluginmanager = new assign_plugin_manager($subtype); $PAGE->set_context(context_system::instance()); // Execute the controller. -$pluginmanager->execute(optional_param('action', null, PARAM_PLUGIN), - optional_param('plugin', null, PARAM_PLUGIN)); +$pluginmanager->execute($action, $plugin);
85984545a937MDL-53031 mod_assign: add session check on assignment plugins management
1 file changed · +10 −3
mod/assign/adminmanageplugins.php+10 −3 modified@@ -25,11 +25,18 @@ require_once(dirname(__FILE__) . '/../../config.php'); require_once($CFG->dirroot.'/mod/assign/adminlib.php'); +$subtype = required_param('subtype', PARAM_PLUGIN); +$action = optional_param('action', null, PARAM_PLUGIN); +$plugin = optional_param('plugin', null, PARAM_PLUGIN); + +if (!empty($plugin)) { + require_sesskey(); +} + // Create the class for this controller. -$pluginmanager = new assign_plugin_manager(required_param('subtype', PARAM_PLUGIN)); +$pluginmanager = new assign_plugin_manager($subtype); $PAGE->set_context(context_system::instance()); // Execute the controller. -$pluginmanager->execute(optional_param('action', null, PARAM_PLUGIN), - optional_param('plugin', null, PARAM_PLUGIN)); +$pluginmanager->execute($action, $plugin);
a0cd21cd5cc6MDL-53031 mod_assign: add session check on assignment plugins management
1 file changed · +10 −3
mod/assign/adminmanageplugins.php+10 −3 modified@@ -25,11 +25,18 @@ require_once(dirname(__FILE__) . '/../../config.php'); require_once($CFG->dirroot.'/mod/assign/adminlib.php'); +$subtype = required_param('subtype', PARAM_PLUGIN); +$action = optional_param('action', null, PARAM_PLUGIN); +$plugin = optional_param('plugin', null, PARAM_PLUGIN); + +if (!empty($plugin)) { + require_sesskey(); +} + // Create the class for this controller. -$pluginmanager = new assign_plugin_manager(required_param('subtype', PARAM_PLUGIN)); +$pluginmanager = new assign_plugin_manager($subtype); $PAGE->set_context(context_system::instance()); // Execute the controller. -$pluginmanager->execute(optional_param('action', null, PARAM_PLUGIN), - optional_param('plugin', null, PARAM_PLUGIN)); +$pluginmanager->execute($action, $plugin);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-f5pm-c4cw-563pghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2016-2157ghsaADVISORY
- www.openwall.com/lists/oss-security/2016/03/21/1nvdWEB
- github.com/moodle/moodle/commit/01b19e761f94a4f3615d5c8f6314309aa83469f3ghsaWEB
- github.com/moodle/moodle/commit/1452f1e1d37d816648e3e015296de59509847287ghsaWEB
- github.com/moodle/moodle/commit/55ba3a26d2710ce3c5f13287b0c3538b9a934fa4ghsaWEB
- github.com/moodle/moodle/commit/85984545a937b0790c355473d7295eb60b0265ebghsaWEB
- github.com/moodle/moodle/commit/a0cd21cd5cc63961243518a58e9d5d01182dbbb4ghsaWEB
- web.archive.org/web/20160424224349/http://www.securitytracker.com/id/1035333ghsaWEB
- www.securitytracker.com/id/1035333nvd
News mentions
0No linked articles in our index yet.