Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2020-14321

Published: 16/08/2022 Updated: 08/12/2022
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Moodle

Vulnerability Summary

In Moodle prior to 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

moodle moodle

moodle moodle 3.9.0

Exploits

Exploit DB: Moodle Teacher Enrollment Privilege Escalation / Remote Code Execution
Moodle versions 39, 38 to 383, 37 to 376, 35 to 3512, and earlier unsupported versions allow for a teacher to exploit chain to remote code execution A bug in the privileges system allows a teacher to add themselves as a manager to their own class They can then add any other users, and thus look to add someone with manager privileges on ...
Exploit DB: Moodle 3.9 Remote Code Execution
Moodle version 39 authenticated remote code execution exploit ...

Github Repositories

https://github.com/lanzt/CVE-2020-14321

Python script to exploit CVE-2020-14321 - Moodle 3.9 - Course enrollments allowed privilege escalation from teacher role into manager role to RCE.

Python script to exploit CVE-2020-14321 - Moodle 39 Course enrolments allowed privilege escalation from teacher role into manager role to RCE Teachers of a course were able to assign themselves the manager role within that course Payload extracted from: githubcom/HoangKien1020/CVE-2020-14321 Usage If you have valid teacher credentials (InReaLife this has not been

https://github.com/f0ns1/CVE-2020-14321-modified-exploit

Modified Moodle exploit for privilege escalation (Dorvack)

CVE-2020-14321-modified-exploit original: githubcom/HoangKien1020/CVE-2020-14321 Modified Moodle exploit for privilege escalation (Dorvack) ┌──(kali㉿kali)-[~/…/1921681121/exploits/CVE-2020-14321/modified] └─$ proxychains python cve202014321py -url formaciondorvackcorp -cookie jgs48ml47fra5v3r45vdhkokb9 [proxychains] config file found:

https://github.com/3mrgnc3/Moodle_3.9_RCE_AutoPwn

AutoPwn Script for Moodle 3.9 leveraging CVE-2020–20282, CVE-2020–14320,CVE-2020–14321

Moodle_39_RCE_AutoPwn AutoPwn Script for Moodle 39 leveraging CVE-2020–20282, CVE-2020–14320,CVE-2020–14321 asciinemaorg/a/417517

https://github.com/HoangKien1020/CVE-2020-14321

Course enrolments allowed privilege escalation from teacher role into manager role to RCE

CVE-2020-14321 Course enrolments allowed privilege escalation from teacher role into manager role to RCE Maybe someone needs Python script, therefore, I have written it to exploit How to use this PoC: How to use this PoC script Case 1 If you have vaid credentials: python3 cve202014321py -u testlocal:8080 -u teacher -p 1234 -cmd=dir Case 2 If you have val

References

CWE-863https://moodle.org/mod/forum/discuss.php?d=407393https://nvd.nist.govhttps://github.com/lanzt/CVE-2020-14321https://packetstormsecurity.com/files/164480/Moodle-Teacher-Enrollment-Privilege-Escalation-Remote-Code-Execution.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook