Description
The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.
Remediation
References
Related Vulnerabilities
WordPress Plugin Ultimate SMS Notifications for WooCommerce CSV Injection (1.4.1)
Atlassian Jira Improper Authentication Vulnerability (CVE-2022-0540)
WordPress Plugin WolfNet IDX for WordPress Multiple Unspecified Vulnerabilities (1.14.7)
WordPress Plugin Open Graph for Facebook, Google+ and Twitter Card Tags Cross-Site Scripting (2.2.4)
TYPO3 Improper Authentication Vulnerability (CVE-2022-36106)