CVE-2014-7832: Moodle allows attackers to bypass the mod/lti:view capability requirement
(updated )
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
References
- git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921
- openwall.com/lists/oss-security/2014/11/17/11
- github.com/advisories/GHSA-mphj-h2fc-62x3
- github.com/moodle/moodle/commit/263f78b8b804fe7dbcd6ffadcadad2c94a0093f7
- github.com/moodle/moodle/commit/8e34d8e85b971a01459797799c0696cfeaae9cc0
- github.com/moodle/moodle/commit/c844af2569e972195db8bca683c1fdf2ddbc3a59
- github.com/moodle/moodle/commit/fe8430e0dc2a50ea8e03d709e95d1226631d0d52
- moodle.org/mod/forum/discuss.php?d=275154
- nvd.nist.gov/vuln/detail/CVE-2014-7832
- web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215
Code Behaviors & Features
Detect and mitigate CVE-2014-7832 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →