mod/lti/launch.php in the LTI module in Moodle up to and including 2.4.11, 2.5.x prior to 2.5.9, 2.6.x prior to 2.6.6, and 2.7.x prior to 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
moodle moodle 2.5.8 |
||
moodle moodle 2.5.7 |
||
moodle moodle 2.5.6 |
||
moodle moodle 2.5.5 |
||
moodle moodle 2.5.4 |
||
moodle moodle 2.7.2 |
||
moodle moodle 2.6.0 |
||
moodle moodle 2.6.1 |
||
moodle moodle 2.6.2 |
||
moodle moodle 2.6.3 |
||
moodle moodle 2.5.3 |
||
moodle moodle 2.5.1 |
||
moodle moodle 2.6.5 |
||
moodle moodle 2.7.1 |
||
moodle moodle |
||
moodle moodle 2.5.2 |
||
moodle moodle 2.5.0 |
||
moodle moodle 2.6.4 |
||
moodle moodle 2.7.0 |