MSA-20-0019: tool_uploadcourse creates new enrol instances unexpectedly in some circumstances

by Michael Hawkins.  

If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course.


Severity/Risk:Minor
Versions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to 3.5.14 and earlier unsupported versions
Versions fixed:3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Reported by:Víctor Déniz Falcón
Workaround:Until the patch is applied, ensure any enrolment method deletions are only performed on courses where that enrolment method already exists and is enabled.
CVE identifier:CVE-2020-25701
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69378
Tracker issue:MDL-69378 tool_uploadcourse creates new enrol instances unexpectedly in some circumstances

Read more https://moodle.org/mod/forum/discuss.php?d=413939&parent=1668774