The LTI module in Moodle up to and including 2.4.11, 2.5.x prior to 2.5.9, 2.6.x prior to 2.6.6, and 2.7.x prior to 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote malicious users to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
moodle moodle 2.6.0 |
||
moodle moodle 2.6.1 |
||
moodle moodle 2.6.2 |
||
moodle moodle 2.6.3 |
||
moodle moodle 2.5.8 |
||
moodle moodle 2.5.7 |
||
moodle moodle 2.5.6 |
||
moodle moodle 2.5.5 |
||
moodle moodle 2.5.4 |
||
moodle moodle 2.7.2 |
||
moodle moodle |
||
moodle moodle 2.5.2 |
||
moodle moodle 2.5.0 |
||
moodle moodle 2.6.4 |
||
moodle moodle 2.7.0 |
||
moodle moodle 2.5.3 |
||
moodle moodle 2.5.1 |
||
moodle moodle 2.6.5 |
||
moodle moodle 2.7.1 |