CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25702
https://notcve.org/view.php?id=CVE-2020-25702
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10. En Moodle, era posible incluir JavaScript, cuando se cambia el nombre de los elementos del banco de contenido. Versiones afectadas: 3.9 a 3.9.2. • https://bugzilla.redhat.com/show_bug.cgi?id=1895437 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6 https://moodle.org/mod/forum/discuss.php?d=413940 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25703
https://notcve.org/view.php?id=CVE-2020-25703
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10. La descarga de la tabla de participantes en Moodle siempre incluía correos electrónicos de unos usuarios, pero solo debería haberlo hecho cuando los correos electrónicos de los usuarios no están ocultos. Versiones afectadas: 3.9 hasta 3.9.2, 3.8 hasta 3.8.5 y 3.7 hasta 3.7.8. • https://bugzilla.redhat.com/show_bug.cgi?id=1895439 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6 https://moodle.org/mod/forum/discuss.php?d=413941 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25701
https://notcve.org/view.php?id=CVE-2020-25701
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Si la herramienta de carga de curso en Moodle se usó para eliminar un método de inscripción que no existía o no estaba habilitado, la herramienta habilitaría erróneamente ese método de inscripción. • https://bugzilla.redhat.com/show_bug.cgi?id=1895432 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6 https://moodle.org/mod/forum/discuss.php?d=413939 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25698
https://notcve.org/view.php?id=CVE-2020-25698
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Unas capacidades de inscripción de los usuarios no estaban suficientemente comprobadas en Moodle cuando son restauradas en un curso existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1895419 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6 https://moodle.org/mod/forum/discuss.php?d=413935 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-28941
https://notcve.org/view.php?id=CVE-2020-28941
An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once. Se detectó un problema en el archivo drivers/accessibility/speakup/spk_ttyio.c en el kernel de Linux versiones hasta 5.9.9. Los atacantes locales en sistemas con el controlador speakup podrían causar un ataque local de denegación de servicio, también se conoce como CID-d41227544427. • http://www.openwall.com/lists/oss-security/2020/11/19/5 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d4122754442799187d5d537a9c039a49a67e57f1 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=d4122754442799187d5d537a9c039a49a67e57f1 https://github.com/torvalds/linux/commit/d4122754442799187d5d537a9c039a49a67e57f1 https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html https://lists.fedoraproject.org/archives/list/package-announce%40lists. • CWE-763: Release of Invalid Pointer or Reference •