Search for vulnerabilities
Vulnerability details: VCID-n2pd-ms5c-vfbq
Vulnerability ID VCID-n2pd-ms5c-vfbq
Aliases CVE-2020-14321
GHSA-9q29-jcjw-fw7h
Summary Moodle Incorrect Authorization vulnerability In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.6372 https://api.first.org/data/v1/epss?cve=CVE-2020-14321
epss 0.6372 https://api.first.org/data/v1/epss?cve=CVE-2020-14321
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-9q29-jcjw-fw7h
cvssv3.1 8.8 https://github.com/moodle/moodle
generic_textual HIGH https://github.com/moodle/moodle
cvssv3.1 8.8 https://github.com/moodle/moodle/commit/d07fb8b9e8bf47fe60ad2aea553329bd1fb96e37
generic_textual HIGH https://github.com/moodle/moodle/commit/d07fb8b9e8bf47fe60ad2aea553329bd1fb96e37
cvssv3.1 8.8 https://moodle.org/mod/forum/discuss.php?d=407393
generic_textual HIGH https://moodle.org/mod/forum/discuss.php?d=407393
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2020-14321
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2020-14321
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-14321
https://github.com/moodle/moodle
https://github.com/moodle/moodle/commit/d07fb8b9e8bf47fe60ad2aea553329bd1fb96e37
https://moodle.org/mod/forum/discuss.php?d=407393
https://nvd.nist.gov/vuln/detail/CVE-2020-14321
GHSA-9q29-jcjw-fw7h https://github.com/advisories/GHSA-9q29-jcjw-fw7h
Data source Metasploit
Description Moodle version 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions allow for a teacher to exploit chain to RCE. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other users, and thus look to add someone with manager privileges on the system (not just the class). After adding a system manager, a 'loginas' feature is used to access their account. Next the system is reconfigured to allow for all users to install an addon/plugin. Then a malicious theme is uploaded and creates an RCE. If all of that is a success, we revert permissions for managers to system default and remove our malicoius theme. Manual cleanup to remove students from the class is required. This module was tested against Moodle version 3.9
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - config-changes
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date July 20, 2020
Platform PHP
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/moodle_teacher_enrollment_priv_esc_to_rce.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/moodle/moodle
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/moodle/moodle/commit/d07fb8b9e8bf47fe60ad2aea553329bd1fb96e37
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://moodle.org/mod/forum/discuss.php?d=407393
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-14321
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.9829
EPSS Score 0.6372
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:24:38.370778+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-9q29-jcjw-fw7h/GHSA-9q29-jcjw-fw7h.json 36.1.3