Insufficient capability checks in some grade related web services meant students were able to view other students' grades.
| Severity/Risk: | Minor |
| Versions affected: | 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6 |
| Versions fixed: | 3.10.1, 3.9.4 and 3.8.7 |
| Reported by: | Juan Segarra Montesinos |
| CVE identifier: | CVE-2021-20184 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69797 |
| Tracker issue: | MDL-69797 Grade information disclosure in grade's external fetch functions |
Some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 |
| Versions fixed: | 3.10.1 |
| Reported by: | kstpt |
| CVE identifier: | CVE-2021-20183 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70571 |
| Tracker issue: | MDL-70571 Search input template insufficiently escaped search queries |
The participants table download always included user emails, but should have only done so when users' emails are not hidden.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8 |
| Versions fixed: | 3.10, 3.9.3, 3.8.6 and 3.7.9 |
| Reported by: | A. Schenkel |
| CVE identifier: | CVE-2020-25703 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69844 |
| Tracker issue: | MDL-69844 The participants table download feature did not respect the site's "show user identity" configuration |
It was possible to include JavaScript when re-naming content bank items.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2 |
| Versions fixed: | 3.10, 3.9.3 |
| Reported by: | DegrangeM |
| CVE identifier: | CVE-2020-25702 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69046 |
| Tracker issue: | MDL-69046 Stored XSS possible when renaming content bank items |
If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Reported by: | Víctor Déniz Falcón |
| Workaround: | Until the patch is applied, ensure any enrolment method deletions are only performed on courses where that enrolment method already exists and is enabled. |
| CVE identifier: | CVE-2020-25701 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69378 |
| Tracker issue: | MDL-69378 tool_uploadcourse creates new enrol instances unexpectedly in some circumstances |
Some database module web services allowed students to add entries within groups they did not belong to.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Reported by: | Dani Palou |
| CVE identifier: | CVE-2020-25700 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67015 |
| Tracker issue: | MDL-67015 Some database module web services did not respect group settings |
Insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Reported by: | Matt Petro |
| CVE identifier: | CVE-2020-25699 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56310 |
| Tracker issue: | MDL-56310 Privilege escalation within a course when restoring role overrides |
Users' enrolment capabilities were not being sufficiently checked when they restored into an existing course, which could lead to them unenrolling users without having permission to do so.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Reported by: | Roman Sevostyanov |
| CVE identifier: | CVE-2020-25698 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67837 |
| Tracker issue: | MDL-67837 Teacher is able to unenrol users without permission using course restore |
It was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page.
Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean enabled.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 |
| Versions fixed: | 3.9.2, 3.8.5 and 3.7.8 |
| Reported by: | DegrangeM |
| CVE identifier: | CVE-2020-25631 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69048 |
| Tracker issue: | MDL-69048 Chapter name in book not always escaped with forceclean enabled |
The decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions |
| Versions fixed: | 3.9.2, 3.8.5, 3.7.8 and 3.5.14 |
| Reported by: | Ivan Novichkov |
| CVE identifier: | CVE-2020-25630 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65115 |
| Tracker issue: | MDL-65115 Denial of service risk in file picker unzip functionality |