Authentication bypass using an alternate path or channel in Moodle - CVE-2021-20282

 

Authentication bypass using an alternate path or channel in Moodle - CVE-2021-20282

Published: March 15, 2021


Vulnerability identifier: #VU51479
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-20282
CWE-ID: CWE-288
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: moodle.org
Affected software:
Moodle

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error that allowed newly created users to bypass email verification process without having an access to the verification email link/secret. A remote attacker can register an account with an email address of other users and gain unauthorized access to the application.


How to mitigate CVE-2021-20282

Install updates from vendor's website.

Sources