mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 02:18
Type | Values Removed | Values Added |
---|---|---|
References | () http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921 - | |
References | () http://openwall.com/lists/oss-security/2014/11/17/11 - | |
References | () http://www.securitytracker.com/id/1031215 - | |
References | () https://moodle.org/mod/forum/discuss.php?d=275154 - Vendor Advisory |
Information
Published : 2014-11-24 11:59
Updated : 2024-11-21 02:18
NVD link : CVE-2014-7832
Mitre link : CVE-2014-7832
CVE.ORG link : CVE-2014-7832
JSON object : View
Products Affected
moodle
- moodle
CWE
CWE-264
Permissions, Privileges, and Access Controls