CVE-2020-25701: Privilage Escalation in moodle
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.56406%
CWE
Published
3/29/2021
Updated
9/12/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 3.9.0, < 3.9.3 | 3.9.3 |
moodle/moodle | composer | >= 3.8.0, < 3.8.6 | 3.8.6 |
moodle/moodle | composer | >= 3.7.0, < 3.7.9 | 3.7.9 |
moodle/moodle | composer | >= 3.5, < 3.5.15 | 3.5.15 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the enrollment processing logic in process_enrolment_data() shown in the commit diff. The original code would:
- Attempt to delete non-existent enrollment methods (creating them first if missing)
- Enable methods when trying to disable/delete them if they didn't exist
- Lack proper state validation before modifying enrollment status
The patched version adds proper existence checks (line 983: 'if ($instance)') and separates creation/status update logic, indicating the vulnerability resided in how the function handled non-existent enrollment methods during delete/disable operations. The CWE-863 mapping confirms this is an authorization flaw where deletion attempts improperly escalated privileges by creating unwanted active enrollment methods.