Описание
Moodle allows attackers to bypass the mod/lti:view capability requirement
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2014-7832
- https://github.com/moodle/moodle/commit/263f78b8b804fe7dbcd6ffadcadad2c94a0093f7
- https://github.com/moodle/moodle/commit/8e34d8e85b971a01459797799c0696cfeaae9cc0
- https://github.com/moodle/moodle/commit/c844af2569e972195db8bca683c1fdf2ddbc3a59
- https://github.com/moodle/moodle/commit/fe8430e0dc2a50ea8e03d709e95d1226631d0d52
- https://moodle.org/mod/forum/discuss.php?d=275154
- https://web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921
- http://openwall.com/lists/oss-security/2014/11/17/11
Пакеты
moodle/moodle
< 2.5.9
2.5.9
moodle/moodle
>= 2.6.0, < 2.6.6
2.6.6
moodle/moodle
>= 2.7.0, < 2.7.3
2.7.3
EPSS
CVE ID
Связанные уязвимости
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x b ...
EPSS