Permissions, Privileges, and Access Controls in Moodle - CVE-2020-25701

 

Permissions, Privileges, and Access Controls in Moodle - CVE-2020-25701

Published: November 16, 2020


Vulnerability identifier: #VU48447
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-25701
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: moodle.org
Affected software:
Moodle

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists in the tool_uploadcourse function. If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course.


How to mitigate CVE-2020-25701

Install updates from vendor's website.

Sources