==================================================================== CERT-Renater Note d'Information No. 2020/VULN629 _____________________________________________________________________ DATE : 20/11/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.10, 3.9.3, 3.8.6, 3.7.9, 3.5.15. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=413935 https://moodle.org/mod/forum/discuss.php?d=413936 https://moodle.org/mod/forum/discuss.php?d=413938 https://moodle.org/mod/forum/discuss.php?d=413939 https://moodle.org/mod/forum/discuss.php?d=413940 https://moodle.org/mod/forum/discuss.php?d=413941 _____________________________________________________________________ MSA-20-0016: Teacher is able to unenrol users without permission using course restore par Michael Hawkins, lundi 16 novembre 2020, 17:09 Users' enrolment capabilities were not being sufficiently checked when they restored into an existing course, which could lead to them unenrolling users without having permission to do so. Severity/Risk: Minor Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions Versions fixed: 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 Reported by: Roman Sevostyanov CVE identifier: CVE-2020-25698 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67837 Tracker issue: MDL-67837 Teacher is able to unenrol users without permission using course restore _____________________________________________________________________ MSA-20-0017: Privilege escalation within a course when restoring role overrides par Michael Hawkins, lundi 16 novembre 2020, 17:10 Insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Severity/Risk: Minor Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions Versions fixed: 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 Reported by: Matt Petro CVE identifier: CVE-2020-25699 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56310 Tracker issue: MDL-56310 Privilege escalation within a course when restoring role overrides _____________________________________________________________________ MSA-20-0018: Some database module web services did not respect group settings par Michael Hawkins, lundi 16 novembre 2020, 17:11 Some database module web services allowed students to add entries within groups they did not belong to. Severity/Risk: Minor Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions Versions fixed: 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 Reported by: Dani Palou CVE identifier: CVE-2020-25700 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67015 Tracker issue: MDL-67015 Some database module web services did not respect group settings _____________________________________________________________________ MSA-20-0019: tool_uploadcourse creates new enrol instances unexpectedly in some circumstances par Michael Hawkins, lundi 16 novembre 2020, 17:14 If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course. Severity/Risk: Minor Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to 3.5.14 and earlier unsupported versions Versions fixed: 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 Reported by: Víctor Déniz Falcón Workaround: Until the patch is applied, ensure any enrolment method deletions are only performed on courses where that enrolment method already exists and is enabled. CVE identifier: CVE-2020-25701 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69378 Tracker issue: MDL-69378 tool_uploadcourse creates new enrol instances unexpectedly in some circumstances _____________________________________________________________________ MSA-20-0020: Stored XSS possible when renaming content bank items par Michael Hawkins, lundi 16 novembre 2020, 17:16 It was possible to include JavaScript when re-naming content bank items. Severity/Risk: Minor Versions affected: 3.9 to 3.9.2 Versions fixed: 3.10, 3.9.3 Reported by: DegrangeM CVE identifier: CVE-2020-25702 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69046 Tracker issue: MDL-69046 Stored XSS possible when renaming content bank items _____________________________________________________________________ MSA-20-0021: The participants table download feature did not respect the site's "show user identity" configuration par Michael Hawkins, lundi 16 novembre 2020, 17:17 The participants table download always included user emails, but should have only done so when users' emails are not hidden. Severity/Risk: Minor Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8 Versions fixed: 3.10, 3.9.3, 3.8.6 and 3.7.9 Reported by: A. Schenkel CVE identifier: CVE-2020-25703 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69844 Tracker issue: MDL-69844 The participants table download feature did not respect the site's "show user identity" configuration ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================