Description
mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service.
Remediation
References
Related Vulnerabilities
PHP HTML entity encoder heap overflow vulnerability
WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Request Forgery (1.5.2)
Joomla Improper Input Validation Vulnerability (CVE-2023-23754)
WordPress Plugin Flamingo Code Injection (1.1)
Nginx Insufficient Session Expiration Vulnerability (CVE-2014-3616)