Moodle is vulnerable to unauthorized printing of arbitrary message to user. The vulnerability is possible because the application does not check the session key on the return page in the LTI module. A malicious user can pass a malicious string through the URL query string to have it printed.