CVE-2020-25703

MEDIUM

Moodle < 3.7.8 - Information Disclosure

Title source: rule

Description

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.

References (4)

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1895439

[Patch, Vendor Advisory] https://moodle.org/mod/forum/discuss.php?d=413941

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/

Scores

CVSS v3 5.3

EPSS 0.0031

EPSS Percentile 54.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-201 CWE-200

Status published

Affected Products (4)

moodle/moodle < 3.7.8

fedoraproject/fedora

fedoraproject/fedora

moodle/moodle < 3.9.3Packagist

Timeline

Published Nov 19, 2020

Tracked Since Feb 18, 2026