Medium severity4.3NVD Advisory· Published May 22, 2016· Updated May 6, 2026
CVE-2016-2159
CVE-2016-2159
Description
The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 2.7, < 2.7.13 | 2.7.13 |
moodle/moodlePackagist | >= 2.8, < 2.8.11 | 2.8.11 |
moodle/moodlePackagist | >= 2.9, < 2.9.5 | 2.9.5 |
moodle/moodlePackagist | >= 3.0, < 3.0.3 | 3.0.3 |
Affected products
33cpe:2.3:a:moodle:moodle:2.8.8:*:*:*:*:*:*:*+ 32 more
- cpe:2.3:a:moodle:moodle:2.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.6.11
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.2:*:*:*:*:*:*:*
Patches
50766509ab023MDL-52774 ajax: Require authentication when getting nav branch
1 file changed · +4 −0
lib/ajax/getnavbranch.php+4 −0 modified@@ -32,6 +32,10 @@ /** Include course lib for its functions */ require_once($CFG->dirroot.'/course/lib.php'); +if (!empty($CFG->forcelogin)) { + require_login(); +} + try { // Start buffer capture so that we can `remove` any errors ob_start();
3c069c16db62MDL-52774 ajax: Require authentication when getting nav branch
1 file changed · +4 −0
lib/ajax/getnavbranch.php+4 −0 modified@@ -32,6 +32,10 @@ /** Include course lib for its functions */ require_once($CFG->dirroot.'/course/lib.php'); +if (!empty($CFG->forcelogin)) { + require_login(); +} + try { // Start buffer capture so that we can `remove` any errors ob_start();
dc8421575f35MDL-52774 ajax: Require authentication when getting nav branch
1 file changed · +4 −0
lib/ajax/getnavbranch.php+4 −0 modified@@ -32,6 +32,10 @@ /** Include course lib for its functions */ require_once($CFG->dirroot.'/course/lib.php'); +if (!empty($CFG->forcelogin)) { + require_login(); +} + try { // Start buffer capture so that we can `remove` any errors ob_start();
ea8987644fdbMDL-52774 ajax: Require authentication when getting nav branch
1 file changed · +4 −0
lib/ajax/getnavbranch.php+4 −0 modified@@ -32,6 +32,10 @@ /** Include course lib for its functions */ require_once($CFG->dirroot.'/course/lib.php'); +if (!empty($CFG->forcelogin)) { + require_login(); +} + try { // Start buffer capture so that we can `remove` any errors ob_start();
711f9468d4e2MDL-52901 mod_assign: Check due dates in external save_submission
2 files changed · +16 −3
mod/assign/externallib.php+6 −3 modified@@ -1681,9 +1681,12 @@ public static function save_submission($assignmentid, $plugindata) { $notices = array(); - $submissiondata = (object)$params['plugindata']; - - $assignment->save_submission($submissiondata, $notices); + if (!$assignment->submissions_open($USER->id)) { + $notices[] = get_string('duedatereached', 'assign'); + } else { + $submissiondata = (object)$params['plugindata']; + $assignment->save_submission($submissiondata, $notices); + } $warnings = array(); foreach ($notices as $notice) {
mod/assign/tests/externallib_test.php+10 −0 modified@@ -946,6 +946,16 @@ public function test_save_submission() { $this->assertEquals(0, count($result)); + // Set up a due and cutoff passed date. + $instance->duedate = time() - WEEKSECS; + $instance->cutoffdate = time() - WEEKSECS; + $DB->update_record('assign', $instance); + + $result = mod_assign_external::save_submission($instance->id, $submissionpluginparams); + $result = external_api::clean_returnvalue(mod_assign_external::save_submission_returns(), $result); + + $this->assertCount(1, $result); + $this->assertEquals(get_string('duedatereached', 'assign'), $result[0]['item']); } /**
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-cw72-69wq-f9f2ghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2016-2159ghsaADVISORY
- www.openwall.com/lists/oss-security/2016/03/21/1nvdWEB
- github.com/moodle/moodle/commit/0766509ab02353008af62f953f7ebc0f6210411aghsaWEB
- github.com/moodle/moodle/commit/3c069c16db62d0e0a64137578e92c22d604dd261ghsaWEB
- github.com/moodle/moodle/commit/711f9468d4e2792afe0f2025ac98c52ee3e4ee71ghsaWEB
- github.com/moodle/moodle/commit/dc8421575f35585a7a4fc1c9710dafd1d0483d4eghsaWEB
- github.com/moodle/moodle/commit/ea8987644fdbbee291337263598b0c3c7bf27c36ghsaWEB
- web.archive.org/web/20160424224349/http://www.securitytracker.com/id/1035333ghsaWEB
- www.securitytracker.com/id/1035333nvd
News mentions
0No linked articles in our index yet.