GitHub Advisory DatabaseGHSA-MPHJ-H2FC-62X3Moodle allows attackers to bypass the mod/lti:view capability requirement
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
50.4%
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
Affected configurations
References
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921
openwall.com/lists/oss-security/2014/11/17/11
github.com/advisories/GHSA-mphj-h2fc-62x3
github.com/moodle/moodle/commit/263f78b8b804fe7dbcd6ffadcadad2c94a0093f7
github.com/moodle/moodle/commit/8e34d8e85b971a01459797799c0696cfeaae9cc0
github.com/moodle/moodle/commit/c844af2569e972195db8bca683c1fdf2ddbc3a59
github.com/moodle/moodle/commit/fe8430e0dc2a50ea8e03d709e95d1226631d0d52
moodle.org/mod/forum/discuss.php?d=275154
nvd.nist.gov/vuln/detail/CVE-2014-7832
web.archive.org/web/20150914064838/www.securitytracker.com/id/1031215
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
50.4%