Description

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Remediation

References

CVE-2020-25701

Related Vulnerabilities

PHP CVE-2007-0910 Vulnerability (CVE-2007-0910)

WordPress Plugin YITH WooCommerce Waiting List Security Bypass (1.3.9)

WordPress Plugin Knight Lab Timeline Cross-Site Scripting (3.6.6)

WebLogic Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-41184)

Drupal Core 4.5.x Cross-Site Scripting (4.5.0 - 4.5.1)

Severity

Medium

Classification

CVE-2020-25701 CWE-863 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities