CVE-2020-25701
First published: Fri Nov 06 2020(Updated: )
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=3.5<3.5.15 | 3.5.15 |
| composer/moodle/moodle | >=3.7.0<3.7.9 | 3.7.9 |
| composer/moodle/moodle | >=3.8.0<3.8.6 | 3.8.6 |
| composer/moodle/moodle | >=3.9.0<3.9.3 | 3.9.3 |
| redhat/moodle | <3.9.3 | 3.9.3 |
| redhat/moodle | <3.8.6 | 3.8.6 |
| redhat/moodle | <3.7.9 | 3.7.9 |
| redhat/moodle | <3.5.15 | 3.5.15 |
| redhat/moodle | <3.10 | 3.10 |
| Moodle | >=3.5.0<=3.5.14 | |
| Moodle | >=3.7.0<=3.7.8 | |
| Moodle | >=3.8.0<=3.8.5 | |
| Moodle | >=3.9.0<=3.9.2 | |
| Fedora | =32 | |
| Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-25701
- https://github.com/moodle/moodle/commit/b8e1eec4c77c858de87fedf4e405e929539ea0c5
- https://bugzilla.redhat.com/show_bug.cgi?id=1895432
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/
- https://moodle.org/mod/forum/discuss.php?d=413939
- https://github.com/advisories/GHSA-c9hq-g4q8-w893 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1899541
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1899542
Frequently Asked Questions
What is the severity of CVE-2020-25701?
The severity of CVE-2020-25701 is considered moderate due to the potential for unauthorized access to courses.
How do I fix CVE-2020-25701?
To fix CVE-2020-25701, upgrade Moodle to version 3.5.15, 3.7.9, 3.8.6, or 3.9.3 or later.
Which Moodle versions are affected by CVE-2020-25701?
Moodle versions affected by CVE-2020-25701 include 3.9 to 3.9.2, 3.8 to 3.8.5, and 3.7 to 3.7.6.
What kind of exploit does CVE-2020-25701 represent?
CVE-2020-25701 represents a vulnerability that could allow unintended users access to courses via erroneous enrollment method enabling.
Is there a workaround for CVE-2020-25701?
There is no documented workaround for CVE-2020-25701; the recommended action is to apply the appropriate software update.
- collector/github-advisory-latest
- alias/GHSA-c9hq-g4q8-w893
- alias/CVE-2020-25701
- collector/github-advisory
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- package-manager/redhat
- vendor/moodle
- canonical/moodle
- version/moodle/3.5.0
- version/moodle/3.5.14
- version/moodle/3.7.0
- version/moodle/3.7.8
- version/moodle/3.8.0
- version/moodle/3.8.5
- version/moodle/3.9.0
- version/moodle/3.9.2
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- version/fedora/33