Description

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Remediation

References

CVE-2020-25629

Related Vulnerabilities

Oracle JRE CVE-2013-2438 Vulnerability (CVE-2013-2438)

Apache Tomcat Other Vulnerability (CVE-2002-1394)

Oracle HTTP Server Other Vulnerability (CVE-2007-0281)

IBM RTC Files or Directories Accessible to External Parties Vulnerability (CVE-2017-1602)

WordPress Plugin VideoWhisper Video Conference Integration 'vw_upload.php' Arbitrary File Upload (4.51)

Severity

High

Classification

CVE-2020-25629 CWE-284 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities