CVE-2020-25698
HIGHMoodle 3.5.0-3.5.14, 3.7.0-3.7.8, 3.8.0-3.8.5, 3.9.0-3.9.2 - Improper Access Control in Course Enrollment Restoration
Title source: llmDescription
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
References (4)
Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1895419
Vendor Advisory x_refsource_misc
https://moodle.org/mod/forum/discuss.php?d=413935
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/
Scores
CVSS v3
7.5
EPSS
0.0070
EPSS Percentile
72.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
Status
published
Products (4)
fedoraproject/fedora
32
fedoraproject/fedora
33
moodle/moodle
3.5.0 - 3.5.14
moodle/moodle
3.9.0 - 3.9.3Packagist
Published
Nov 19, 2020
Tracked Since
Feb 18, 2026