Users’ enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
bugzilla.redhat.com/show_bug.cgi?id=1895419
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67837
github.com/moodle/moodle/commit/c8ac07fb50fa92eee1d574823fbda09e1b309a63
lists.fedoraproject.org/archives/list/[email protected]/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU
lists.fedoraproject.org/archives/list/[email protected]/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6
moodle.org/mod/forum/discuss.php?d=413935
nvd.nist.gov/vuln/detail/CVE-2020-25698