If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course.
Severity/Risk: | Minor |
Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to 3.5.14 and earlier unsupported versions |
Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
Reported by: | Víctor Déniz Falcón |
Workaround: | Until the patch is applied, ensure any enrolment method deletions are only performed on courses where that enrolment method already exists and is enabled. |
CVE identifier: | CVE-2020-25701 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69378 |
Tracker issue: | MDL-69378 tool_uploadcourse creates new enrol instances unexpectedly in some circumstances |