CVE-2014-7832
Moodle < 2.4.11, 2.5.x < 2.5.9, 2.6.x < 2.6.6, 2.7.x < 2.7.3 - Authenticated Access Control Bypass in LTI Module
Title source: llmDescription
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1031215
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/11/17/11
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=275154
Scores
EPSS
0.0024
EPSS Percentile
47.5%
Details
CWE
CWE-264
Status
published
Products (20)
moodle/moodle
2.5.0
moodle/moodle
2.5.1
moodle/moodle
2.5.2
moodle/moodle
2.5.3
moodle/moodle
2.5.4
moodle/moodle
2.5.5
moodle/moodle
2.5.6
moodle/moodle
2.5.7
moodle/moodle
2.5.8
moodle/moodle
2.6.0
... and 10 more
Published
Nov 24, 2014
Tracked Since
Feb 18, 2026