Bug 1895419 (CVE-2020-25698)

Summary:	CVE-2020-25698 moodle: Teacher is able to unenrol users without permission using course restore
Product:	[Other] Security Response	Reporter:	Michael Kaplan <mkaplan>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED UPSTREAM	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	adaxvier, davitjack508, gwync, igor.raits, jwakely, KalebRamirez2020, maxiomalimo+mola953, michaelolivero1e, saleenajohn2023, security-response-team, sergio
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	moodle 3.9.3, moodle 3.8.6, moodle 3.7.9, moodle 3.5.15, moodle 3.10	Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Moodle where users' enrollment capabilities were not being sufficiently checked when restored into an existing course. This issue could lead to users being removed from enrollment without having adequate permissions.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-11-19 17:28:35 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1899532, 1899533
Bug Blocks:

Description Michael Kaplan 2020-11-06 16:22:58 UTC

Users' enrolment capabilities were not being sufficiently checked when they restored into an existing course,  could lead to them unenrolling users without having permission to do so.

Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions

Comment 3 Michael Kaplan 2020-11-19 13:57:24 UTC

Created moodle tracking bugs for this issue:

Affects: epel-all [bug 1899532]
Affects: fedora-all [bug 1899533]

Comment 4 Product Security DevOps Team 2020-11-19 17:28:35 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 5 Michael 2023-01-19 22:57:55 UTC Comment hidden (spam)

The teacher can cancel the registration of the student and not notify him about it. This is not a mistake, it's just that this functionality was provided in case the teacher does not like your content. I was gathering information from various movie review essay examples https://samplius.com/free-essay-examples/movie-review/ when I wanted to review popular movies for my blog posts. But it seemed to the teacher that it was not correct to describe commercial products and the technologies with which they were created. So he canceled my account, such situations are normal.

Comment 6 Choixx 2023-05-21 09:56:18 UTC Comment hidden (spam)

Hello Michael. for your future essays, I order you to use Papersowl professional writing service. It provides very high quality essays and does it at an affordable price. You can also check out Papersowl reviews on https://www.resellerratings.com/store/PapersOwl to learn more regarding the experience that different customers have had with their service. I discovered this service when I was a freshman in college. I have used it many times throughout my college years. It has allowed me to be more available and better organized.

Comment 7 Alan Luiz 2023-05-26 04:30:41 UTC Comment hidden (spam)

The ability for a teacher to unenroll users without permission using course restore raises concerns about privacy and user autonomy. Similar to writing for nurse from https://www.nursingpaper.com/, where informed consent is valued, respecting individuals' rights is essential in educational settings. Safeguards must be in place to prevent unauthorized unenrollments, ensuring a fair and inclusive learning environment where users' participation and progress are valued and protected.

Comment 8 Davit Jack 2023-06-19 12:31:52 UTC Comment hidden (spam)

You have made some good points here. I looked on the internet for the issue as well as found most people will certainly company with your website. https://americasuits.com/justified-raylan-givens-black-cotton-jacket Store For all of your Superhero Outfits, Celerity Jackets, And Leather Jackets! online. Waste no time any further browsing and check out the vast varieties of superhero jackets, celebrity jackets, and many many more, visit and order now and be the fashion diva of your circle.

Comment 9 Nicholson 2023-07-05 22:55:26 UTC Comment hidden (spam)

If you're experiencing a situation where a teacher is improperly unenrolling users without permission using a course restore feature, it may be necessary to address the issue with the LMS platform's support team or the organization responsible for managing the platform. They should be able to investigate the situation, provide guidance, and ensure that the proper permissions and access controls are in place to prevent unauthorized actions. Whether you're looking for a local sprint triathlon and have no information about it. https://triworldhub.com/ features comprehensive detail about ongoing events worldwide.

Comment 10 Ada Xavier 2023-07-31 12:46:14 UTC Comment hidden (spam)

Capstone papers are academic projects typically undertaken by students during their final year of study, often in higher education programs or graduate schools. These comprehensive assignments aim to showcase the students' accumulated knowledge, skills, and understanding of their field of study. Capstone papers may take various forms, including research papers, case studies, creative projects, or practical applications https://papermasters.org/buy-capstone-project-online-help/