Description

mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.

Remediation

References

CVE-2014-7832

Related Vulnerabilities

Drupal Core 6.x Multiple Vulnerabilities (6.0 - 6.27)

Django Improper Authentication Vulnerability (CVE-2021-44420)

MySQL CVE-2020-14567 Vulnerability (CVE-2020-14567)

WordPress Plugin File Manager Remote Code Execution (4.5)

MySQL CVE-2021-35631 Vulnerability (CVE-2021-35631)

Severity

Medium

Classification

CVE-2014-7832 CWE-264

Tags

Missing Update Known Vulnerabilities