Moodle incorrect access control
High severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Aug 23, 2023
Package
Affected versions
>= 3.9, <= 3.9.1
>= 3.8, <= 3.8.4
>= 3.7, <= 3.7.7
>= 3.5, <= 3.5.13
Patched versions
3.9.2
3.8.5
3.7.8
3.5.14
Description
Published by the National Vulnerability Database
Dec 8, 2020
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Jul 13, 2023
Last updated
Aug 23, 2023
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
References