Description

mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service.

Remediation

References

CVE-2015-0211

Related Vulnerabilities

WordPress Plugin Easy Google Fonts Cross-Site Scripting (1.3.6)

WordPress Plugin All-In-One Security (AIOS)-Security and Firewall Open Redirect (4.4.1)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2008-0195)

Mustache Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-8862)

WordPress Plugin Rating by BestWebSoft Cross-Site Scripting (0.1)

Severity

Medium

Classification

CVE-2015-0211 CWE-200

Tags

Missing Update Known Vulnerabilities