Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 755629 (CVE-2020-25698, CVE-2020-25699, CVE-2020-25700, CVE-2020-25701, CVE-2020-25702, CVE-2020-25703) - www-apps/moodle: Multiple Vulnerabilities (CVE-2020-{25698,25699,25700,25701,25702.25703})
Summary: www-apps/moodle: Multiple Vulnerabilities (CVE-2020-{25698,25699,25700,25701,...
Status: RESOLVED INVALID
Alias: CVE-2020-25698, CVE-2020-25699, CVE-2020-25700, CVE-2020-25701, CVE-2020-25702, CVE-2020-25703
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-19 20:37 UTC by filip ambroz
Modified: 2020-11-20 17:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-11-19 20:37:45 UTC 
CVE-2020-25698
--------------
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895419
https://moodle.org/mod/forum/discuss.php?d=413935


CVE-2020-25699
--------------
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895425
https://moodle.org/mod/forum/discuss.php?d=413936


CVE-2020-25700
--------------
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895427
https://moodle.org/mod/forum/discuss.php?d=413938


CVE-2020-25701
--------------
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895432
https://moodle.org/mod/forum/discuss.php?d=413939


CVE-2020-25702
--------------
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895437
https://moodle.org/mod/forum/discuss.php?d=413940


CVE-2020-25703
--------------
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1895439
https://moodle.org/mod/forum/discuss.php?d=413941
Comment 1 Anthony Basile gentoo-dev 2020-11-19 21:33:06 UTC 
The latest releases are on the tree.  All the affected versions are off.
Comment 2 filip ambroz 2020-11-20 07:28:25 UTC 
(In reply to Anthony Basile from comment #1)
> The latest releases are on the tree.  All the affected versions are off.

thank you anthony! that was really quick :)