CVE-2020-25703
CVE-2020-25703
In short
Moodle was exposing users' email addresses in participant table downloads even when those emails should have been hidden. This leaked private contact information that administrators intended to keep confidential.
Technical detail
CWE-201 information exposure vulnerability in Moodle's participants table export function. The application failed to respect user privacy settings and consistently included email addresses in downloads regardless of email visibility configuration. Affects versions 3.7–3.9.2; requires authenticated access to course participant exports.
Summary generated and translated by AI from the official description.
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.
Affected products
n/a · moodleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://bugzilla.redhat.com/show_bug.cgi?id=1895439https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/https://moodle.org/mod/forum/discuss.php?d=413941