CVE-2020-25628
https://notcve.org/view.php?id=CVE-2020-25628
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. El filtro en el administrador de etiquetas requirió un saneamiento adicional para impedir un riesgo de XSS reflejado. Esto afecta a versiones 3.9 hasta 3.9.1, 3.8 hasta 3.8.4, 3.7 hasta 3.7.7, 3.5 hasta 3.5.13 y versiones anteriores no compatibles. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340 https://moodle.org/mod/forum/discuss.php?d=410840 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-25629
https://notcve.org/view.php?id=CVE-2020-25629
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. Se encontró una vulnerabilidad en Moodle donde los usuarios con la capacidad "Log in as" en el contexto de un curso (típicamente, administradores de cursos) pueden obtener acceso a algunas funciones de administración del sitio mediante un "logging in as" un administrador del sistema. Esto afecta a versiones 3.9 hasta 3.9.1, 3.8 hasta 3.8.4, 3.7 hasta 3.7.7, 3.5 hasta 3.5.13 y versiones anteriores no compatibles. • https://moodle.org/mod/forum/discuss.php?d=410841 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVE-2020-25630
https://notcve.org/view.php?id=CVE-2020-25630
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. Se encontró una vulnerabilidad en Moodle donde el tamaño descomprimido de los archivos zip no se verificaba con la cuota de usuario disponible antes de descomprimirlos, lo que podría conducir a un riesgo de denegación de servicio. Esto afecta a las versiones 3.9 hasta 3.9.1, 3.8 hasta 3.8.4, 3.7 hasta 3.7.7, 3.5 hasta 3.5.13 y versiones anteriores no compatibles. • https://moodle.org/mod/forum/discuss.php?d=410842 • CWE-400: Uncontrolled Resource Consumption •
CVE-2020-25700
https://notcve.org/view.php?id=CVE-2020-25700
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10. En moodle, algunos servicios web de módulos de base de datos permitían a estudiantes agregar entradas dentro de grupos a los que no pertenecían. Versiones afectadas: 3.9 hasta 3.9.2, 3.8 hasta 3.8.5, 3.7 hasta 3.7.8, 3.5 hasta 3.5.14 y versiones anteriores no compatibles. • https://bugzilla.redhat.com/show_bug.cgi?id=1895427 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6 https://moodle.org/mod/forum/discuss.php?d=413938 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-25701
https://notcve.org/view.php?id=CVE-2020-25701
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Si la herramienta de carga de curso en Moodle se usó para eliminar un método de inscripción que no existía o no estaba habilitado, la herramienta habilitaría erróneamente ese método de inscripción. • https://bugzilla.redhat.com/show_bug.cgi?id=1895432 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6 https://moodle.org/mod/forum/discuss.php?d=413939 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •