Description

mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.

Remediation

References

CVE-2014-7832

Related Vulnerabilities

ownCloud Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-9459)

WordPress Plugin Ad Inserter-Ad Manager & AdSense Ads Remote Code Execution (2.4.21)

WordPress Plugin Zingiri Web Shop 'wpabspath' Parameter Remote File Include (2.2.0)

WordPress Plugin Custom Dashboard & Login Page-AGCA Cross-Site Request Forgery (6.5.4)

Oracle Database Server CVE-2010-0851 Vulnerability (CVE-2010-0851)

Severity

Medium

Classification

CVE-2014-7832 CWE-264

Tags

Missing Update Known Vulnerabilities