CVE-2020-25703 — Exposure of Sensitive Information to an Unauthorized Actor in Moodle

Description

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.

How to fix CVE-2020-25703

To remediate CVE-2020-25703, upgrade the affected package to a fixed version below.

—upgrade to 3.7.9 or later
—upgrade to 3.9.3 or later

Is CVE-2020-25703 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
>= 3.9.0, < 3.9.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-25703
PATCHgithub.com/moodle/moodle
WEBbugzilla.redhat.com/show_bug.cgi?id=1895439
WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/