Description

mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service.

Remediation

References

CVE-2015-0211

Related Vulnerabilities

Magento Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-7911)

WordPress Plugin WP-Mon Arbitrary File Disclosure (0.5.1)

MySQL CVE-2019-2789 Vulnerability (CVE-2019-2789)

WordPress Plugin W4 Post List Cross-Site Scripting (2.4.4)

WordPress Plugin Stripe For WooCommerce Security Bypass (3.3.9)

Severity

Medium

Classification

CVE-2015-0211 CWE-200

Tags

Missing Update Known Vulnerabilities