Description

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Remediation

References

CVE-2020-25701

Related Vulnerabilities

Microsoft SQL Server Other Vulnerability (CVE-2001-0344)

WordPress Plugin Custom Dashboard & Login Page-AGCA Cross-Site Request Forgery (6.5.4)

Moodle Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2018-1133)

PHP Other Vulnerability (CVE-1999-0068)

WordPress Plugin Post Form-Registration Form-Profile Form for User Profiles and Content Forms for User Submissions SQL Injection (2.2.7)

Severity

Medium

Classification

CVE-2020-25701 CWE-863 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities