Operating System:

[WIN][UNIX/Linux]

Published:

17 November 2020

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2020.4071 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4071
                      Multiple Moodle vulnerabilities
                             17 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Moodle
Publisher:         Moodle
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Increased Privileges -- Existing Account            
                   Cross-site Scripting -- Remote with User Interaction
                   Unauthorised Access  -- Existing Account            
                   Reduced Security     -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25703 CVE-2020-25702 CVE-2020-25701
                   CVE-2020-25700 CVE-2020-25699 CVE-2020-25698

Original Bulletin: 
   https://moodle.org/mod/forum/discuss.php?d=413935&parent=1668770
   https://moodle.org/mod/forum/discuss.php?d=413936&parent=1668771
   https://moodle.org/mod/forum/discuss.php?d=413938&parent=1668773
   https://moodle.org/mod/forum/discuss.php?d=413939&parent=1668774
   https://moodle.org/mod/forum/discuss.php?d=413940&parent=1668775
   https://moodle.org/mod/forum/discuss.php?d=413941&parent=1668777

Comment: This bulletin contains six (6) Moodle security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

MSA-20-0016: Teacher is able to unenrol users without permission using course
restore

Users' enrolment capabilities were not being sufficiently checked when they
restored into an existing course, which could lead to them unenrolling users
without having permission to do so.

Severity/Risk:     Minor
Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and
                   earlier unsupported versions
Versions fixed:    3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Reported by:       Roman Sevostyanov
CVE identifier:    CVE-2020-25698
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67837
Tracker issue:     MDL-67837 Teacher is able to unenrol users without permission
                   using course restore

- --------------------------------------------------------------------------------

MSA-20-0017: Privilege escalation within a course when restoring role overrides

Insufficient capability checks could lead to users with the ability to course
restore adding additional capabilities to roles within that course.

Severity/Risk:     Minor
Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and
                  earlier unsupported versions
Versions fixed:    3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Reported by:       Matt Petro
CVE identifier:    CVE-2020-25699
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56310
Tracker issue:     MDL-56310 Privilege escalation within a course when restoring
                   role overrides

- --------------------------------------------------------------------------------

MSA-20-0018: Some database module web services did not respect group settings

Some database module web services allowed students to add entries within groups
they did not belong to.

Severity/Risk:     Minor
Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and
                  earlier unsupported versions
Versions fixed:    3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Reported by:       Dani Palou
CVE identifier:    CVE-2020-25700
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67015
Tracker issue:     MDL-67015 Some database module web services did not respect
                   group settings

- --------------------------------------------------------------------------------

MSA-20-0019: tool_uploadcourse creates new enrol instances unexpectedly in some
circumstances

If the upload course tool was used to delete an enrolment method which did not
exist or was not already enabled, the tool would erroneously enable that
enrolment method. This could lead to unintended users gaining access to the
course.

Severity/Risk:     Minor
Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to 3.5.14 and
                  earlier unsupported versions
Versions fixed:    3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Workaround:        Until the patch is applied, ensure any enrolment method
                  deletions are only performed on courses
                  where that enrolment method already exists
                  and is enabled.
CVE identifier:    CVE-2020-25701
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69378
Tracker issue:     MDL-69378 tool_uploadcourse creates new enrol instances
                   unexpectedly in some circumstances

- --------------------------------------------------------------------------------

MSA-20-0020: Stored XSS possible when renaming content bank items

It was possible to include JavaScript when re-naming content bank items.

Severity/Risk:     Minor
Versions affected: 3.9 to 3.9.2
Versions fixed:    3.10, 3.9.3
Reported by:       DegrangeM
CVE identifier:    CVE-2020-25702
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69046
Tracker issue:     MDL-69046 Stored XSS possible when renaming content bank items

- --------------------------------------------------------------------------------

MSA-20-0021: The participants table download feature did not respect the site's
"show user identity" configuration

The participants table download always included user emails, but should have
only done so when users' emails are not hidden.

Severity/Risk:     Minor
Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8
Versions fixed:    3.10, 3.9.3, 3.8.6 and 3.7.9
Reported by:       A. Schenkel
CVE identifier:    CVE-2020-25703
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69844
Tracker issue:     MDL-69844 The participants table download feature did not
                   respect the site's "show user identity"
                   configuration

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX7Mdm+NLKJtyKPYoAQjdKxAAmv69aWugKtd9HeYdS8pgOGnQ5+PBk/Z0
fDgcysiNAtxRs27cT6muJLRrAwF7zFAuDFdXFTGapOTfq9LxOnqnN26fberyq/3k
g3PwNAHjXYJ6ze9xWGjIxZf0fUHkmz3fTOEMm/fHXwHZRJJMfTC9iqnYQT8X7M/H
zCK+1NwcIUcqimCz/qsKNvHfT9giGfeSKV+EcVDJ0aI4fN/ox02xFmz5rXIteGZF
aAbbDnBC+aW799VMMwtZA8z0d5vOKCmyKeskt6iGpKCVyN1W4vSVuHrQVE2wMhtW
hSBalljK5NnRC6ySd33HKDIeZGBctnRhDqGjQyXRBvXU/i0Tw3qP5Rh3FgVdU4P1
PRgfuvh3wtlTKdKbwm+U+EUKjBUMFwcitxNjb584LNNiVD30gvAB+/JxCNXLz5Bj
FymUZQqqAxdcWXxH5RC/G5hc36j+Sf3QLKfMV0nmWfPNH0+oSvbnto5KpORKt6MK
+cU+VQiMxYcPhRKG4Dfhg7GJrytL4NrLb5gsPm8BfkT6jkThzjJuJP2njNPeCY4+
YU3m/hS8NW8Fd42mAliIrTQ5rYqMfkEd8GsrCWRLqfa+WgPLF46E0B4DcnFu1KAX
tMIcNDSDKxv5pCupSOW3eidaviAcQe7F08H+rBjG8KneuAIXMb4e69A/f978JlEi
4Tl+lwoKBEs=
=rM+x
-----END PGP SIGNATURE-----