Description

The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.

Remediation

References

CVE-2014-9060

Related Vulnerabilities

WordPress Plugin Video Lead Form 'errMsg' Parameter Cross-Site Scripting (0.5)

WordPress Plugin Paid Memberships Pro-Restrict Member Access to Content, Courses, Communities-Free or Paid Subscriptions Directory Traversal (1.7.14.2)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-3742)

MySQL CVE-2019-2966 Vulnerability (CVE-2019-2966)

Oracle JRE CVE-2022-21541 Vulnerability (CVE-2022-21541)

Severity

Medium

Classification

CVE-2014-9060 CWE-20

Tags

Missing Update Known Vulnerabilities