Vulnerability Details : CVE-2020-14321
Public exploit exists!
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
Products affected by CVE-2020-14321
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.9.0:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-14321
12.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2020-14321
-
Moodle Teacher Enrollment Privilege Escalation to RCE
Disclosure Date: 2020-07-20First seen: 2022-12-23exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rceMoodle version 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions allow for a teacher to exploit chain to RCE. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other u
CVSS scores for CVE-2020-14321
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2020-14321
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2020-14321
-
https://moodle.org/mod/forum/discuss.php?d=407393
Moodle.org: MSA-20-0009: Course enrolments allowed privilege escalation from teacher role into manager rolePatch;Vendor Advisory
Jump to