CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25700
https://notcve.org/view.php?id=CVE-2020-25700
19 Nov 2020 — In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10. En moodle, algunos servicios web de módulos de base de datos permitían a estudiantes agregar entradas dentro de grupos a los que no pertenecían. Versiones afectadas: 3.9 hasta 3.9.2, 3.8 hasta 3.8.5, 3.7 hasta 3.7.8, 3.5 hasta ... • https://bugzilla.redhat.com/show_bug.cgi?id=1895427 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25702
https://notcve.org/view.php?id=CVE-2020-25702
19 Nov 2020 — In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10. En Moodle, era posible incluir JavaScript, cuando se cambia el nombre de los elementos del banco de contenido. Versiones afectadas: 3.9 a 3.9.2. • https://bugzilla.redhat.com/show_bug.cgi?id=1895437 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25703
https://notcve.org/view.php?id=CVE-2020-25703
19 Nov 2020 — The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10. La descarga de la tabla de participantes en Moodle siempre incluía correos electrónicos de unos usuarios, pero solo debería haberlo hecho cuando los correos electrónicos de los usuarios no están ocultos. Versiones afectadas: 3.9 hasta 3.9.2, 3.8 hasta 3... • https://bugzilla.redhat.com/show_bug.cgi?id=1895439 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25701
https://notcve.org/view.php?id=CVE-2020-25701
19 Nov 2020 — If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Si la herramienta de carga de curso en Moodle se usó para eliminar un método de inscripción ... • https://bugzilla.redhat.com/show_bug.cgi?id=1895432 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25698
https://notcve.org/view.php?id=CVE-2020-25698
19 Nov 2020 — Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Unas capacidades de inscripción de los usuarios no estaban suficientemente comprobadas en Moodle cuando son restauradas en un curso existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1895419 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25699
https://notcve.org/view.php?id=CVE-2020-25699
19 Nov 2020 — In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. En moodle, las comprobaciones insuficientes de capacidad podrían conllevar a usuarios con una capacidad de restaurar el curso agregar capacidades adicionales a los roles dentro de ese... • https://bugzilla.redhat.com/show_bug.cgi?id=1895425 • CWE-863: Incorrect Authorization •