CVE-2020-25629

Vulnerability

Analysis

CVE-2020-25629 is a privilege escalation vulnerability in Moodle, affecting versions 3.5 to 3.5.13, 3.7 to 3.7.7, 3.8 to 3.8.4, and 3.9 to 3.9.1, as well as earlier unsupported releases [1]. The issue lies in the 'Log in as' feature, where a user with the 'moodle/site:viewparticipants' capability in a course context (typically a course manager) can impersonate another user. By logging in as a System manager, the attacker inadvertently inherits site-level administrative capabilities that exceed their intended permissions [1].

Attack

Vector

Exploitation requires an authenticated user who possesses the 'Log in as' capability in at least one course [1]. No special network access is needed beyond normal web application usage. The attacker simply initiates a session as a target user who holds the System manager role [1]. The vulnerability is triggered through the standard impersonation workflow, making it straightforward for a course manager to exploit without requiring additional privileges or external tools.

Impact

Successful exploitation allows a course manager to gain unauthorized access to site administration functions [1]. This includes the ability to modify system-wide settings, manage users across the entire site, and potentially compromise the confidentiality, integrity, and availability of the Moodle installation. The privilege escalation bypasses the intended role hierarchy, where course managers should only have authority within their assigned courses.

Mitigation

Moodle has released fixed versions: 3.9.2, 3.8.5, 3.7.8, and 3.5.14 [1]. Administrators should upgrade immediately to these or later versions. No workaround has been published, making patching the only reliable mitigation. The vulnerability is not known to be exploited in the wild, but given the ease of exploitation, prompt action is recommended.