MSA-20-0016: Teacher is able to unenrol users without permission using course restore

by Michael Hawkins.  

Users' enrolment capabilities were not being sufficiently checked when they restored into an existing course, which could lead to them unenrolling users without having permission to do so.


Severity/Risk:Minor
Versions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions
Versions fixed:3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Reported by:Roman Sevostyanov
CVE identifier:CVE-2020-25698
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67837
Tracker issue:MDL-67837 Teacher is able to unenrol users without permission using course restore

Read more https://moodle.org/mod/forum/discuss.php?d=413935&parent=1668770