CVE-2020-25629
Moodle incorrect access control
8.8
HIGH
CVSS 3.1
EPSS 0.55%
Description
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
How to fix CVE-2020-25629
To remediate CVE-2020-25629, upgrade the affected package to a fixed version below.
- —upgrade to 3.5.14 or later
- —upgrade to 3.9.2 or later
Is CVE-2020-25629 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
- >= 3.9, < 3.9.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |