CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25698
https://notcve.org/view.php?id=CVE-2020-25698
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Unas capacidades de inscripción de los usuarios no estaban suficientemente comprobadas en Moodle cuando son restauradas en un curso existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1895419 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6 https://moodle.org/mod/forum/discuss.php?d=413935 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25699
https://notcve.org/view.php?id=CVE-2020-25699
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. En moodle, las comprobaciones insuficientes de capacidad podrían conllevar a usuarios con una capacidad de restaurar el curso agregar capacidades adicionales a los roles dentro de ese curso. Versiones afectadas: 3.9 hasta 3.9.2, 3.8 hasta 3.8.5, 3.7 hasta 3.7.8, 3.5 hasta 3.5.14 y versiones anteriores no compatibles. • https://bugzilla.redhat.com/show_bug.cgi?id=1895425 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6 https://moodle.org/mod/forum/discuss.php?d=413936 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-10738
https://notcve.org/view.php?id=CVE-2020-10738
A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution. Se encontró un fallo en Moodle versiones 3.8 anteriores a la versión 3.8.3, versiones 3.7 anteriores a 3.7.6, versiones 3.6 anteriores a 3.6.10, versiones 3.5 anteriores a 3.5.12 y versiones anteriores no compatibles. Fue posible crear un paquete SCORM de tal manera que cuando se agregara a un curso, podría interactuar con él por medio de servicios web a fin de lograr una ejecución de código remota. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68410 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10738 https://moodle.org/mod/forum/discuss.php?d=403513 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14880
https://notcve.org/view.php?id=CVE-2019-14880
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise. Se detectó una vulnerabilidad en Moodle versiones 3.7 anteriores a 3.7.3, versiones 3.6 anteriores a 3.6.7, versiones 3.5 anteriores a 3.5.9. Los proveedores de OAuth 2 quienes no verifican los cambios en la dirección de correo electrónico de los usuarios requieren una verificación adicional durante el registro para reducir el riesgo de comprometer la cuenta. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14880 https://moodle.org/security • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14884
https://notcve.org/view.php?id=CVE-2019-14884
A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages. Se detectó una vulnerabilidad en Moodle versiones 3.7 anteriores a 3.73, versiones 3.6 anteriores a 3.6.7 y versiones 3.5 anteriores a 3.5.9, donde es posible un ataque de tipo XSS reflejado a partir de algunos mensajes de error fatales. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14884 https://moodle.org/mod/forum/discuss.php?d=393587#p1586751 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •