CVE-2020-25629
HIGHMoodle 3.5.0-3.5.13, 3.7.0-3.7.7, 3.8.0-3.8.4, 3.9.0-3.9.1 - Privilege Escalation via 'Log in as' Capability
Title source: llmDescription
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=410841
Scores
CVSS v3
8.8
EPSS
0.0055
EPSS Percentile
68.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
CWE-862
Status
published
Products (2)
moodle/moodle
3.5.0 - 3.5.14
moodle/moodle
3.9 - 3.9.2Packagist
Published
Dec 08, 2020
Tracked Since
Feb 18, 2026