Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 755629 (CVE-2020-25698, CVE-2020-25699, CVE-2020-25700, CVE-2020-25701, CVE-2020-25702, CVE-2020-25703)

Summary: www-apps/moodle: Multiple Vulnerabilities (CVE-2020-{25698,25699,25700,25701,25702.25703})
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: trivial CC: blueness, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [ebuild]
Package list:
Runtime testing required: ---

Description filip ambroz 2020-11-19 20:37:45 UTC 
CVE-2020-25698
--------------
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895419
https://moodle.org/mod/forum/discuss.php?d=413935


CVE-2020-25699
--------------
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895425
https://moodle.org/mod/forum/discuss.php?d=413936


CVE-2020-25700
--------------
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895427
https://moodle.org/mod/forum/discuss.php?d=413938


CVE-2020-25701
--------------
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895432
https://moodle.org/mod/forum/discuss.php?d=413939


CVE-2020-25702
--------------
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895437
https://moodle.org/mod/forum/discuss.php?d=413940


CVE-2020-25703
--------------
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895439
https://moodle.org/mod/forum/discuss.php?d=413941
Comment 1 Anthony Basile gentoo-dev 2020-11-19 21:33:06 UTC 
The latest releases are on the tree.  All the affected versions are off.
Comment 2 filip ambroz 2020-11-20 07:28:25 UTC 
(In reply to Anthony Basile from comment #1)
> The latest releases are on the tree.  All the affected versions are off.

thank you anthony! that was really quick :)