CVE-2020-25698
Improper Access Control in moodle
7.5
HIGH
CVSS 3.1
EPSS 0.70%
Description
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
How to fix CVE-2020-25698
To remediate CVE-2020-25698, upgrade the affected package to a fixed version below.
- —upgrade to 3.5.15 or later
- —upgrade to 3.9.3 or later
Is CVE-2020-25698 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
- >= 3.9.0, < 3.9.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |