by Michael Hawkins. Users enrolment capabilities were not being sufficiently checked when they restored into an existing course, which could lead to them unenrolling users without having permission to do so.Severity/Risk:MinorVersions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versionsVersions fixed:3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15Reported by:Roman SevostyanovCVE identifier:CVE-2020-25698Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=413935&parent=1668770
by Michael Hawkins. Insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course.Severity/Risk:MinorVersions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versionsVersions fixed:3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15Reported by:Matt PetroCVE identifier:CVE-2020-25699Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=413936&parent=1668771
by Michael Hawkins. Some database module web services allowed students to add entries within groups they did not belong to.Severity/Risk:MinorVersions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versionsVersions fixed:3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15Reported by:Dani PalouCVE identifier:CVE-2020-25700Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67015Tracker issue:MDL-67015 Some database
More info:
https://moodle.org/mod/forum/discuss.php?d=413938&parent=1668773
by Michael Hawkins. If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course.Severity/Risk:MinorVersions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to 3.5.14 and earlier unsupported versionsVersions fixed:3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15Reported by:Víctor Déniz
More info:
https://moodle.org/mod/forum/discuss.php?d=413939&parent=1668774
by Michael Hawkins. It was possible to include JavaScript when re-naming content bank items.Severity/Risk:MinorVersions affected:3.9 to 3.9.2Versions fixed:3.10, 3.9.3Reported by:DegrangeMCVE identifier:CVE-2020-25702Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69046Tracker issue:MDL-69046 Stored XSS possible when renaming content bank items
More info:
https://moodle.org/mod/forum/discuss.php?d=413940&parent=1668775
by Michael Hawkins. The participants table download always included user emails, but should have only done so when users emails are not hidden.Severity/Risk:MinorVersions affected:3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8Versions fixed:3.10, 3.9.3, 3.8.6 and 3.7.9Reported by:A. SchenkelCVE identifier:CVE-2020-25703Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69844Tracker issue:MDL-69844 The participants table download feature did not
More info:
https://moodle.org/mod/forum/discuss.php?d=413941&parent=1668777
