CVE-2015-0211

Name of the Vulnerable Software and Affected Versions Moodle versions 2.5.9 and earlier Moodle versions 2.6.x before 2.6.7 Moodle versions 2.7.x before 2.7.4 Moodle versions 2.8.x before 2.8.2

Description The issue is related to the mod/lti/ajax.php component in Moodle, which does not properly consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before handling registered-tool list searches. This allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service. The vulnerability is associated with a lack of protection for internal data, which can be exploited by an attacker to gain access to protected information using specially crafted requests to the Ajax service.

Recommendations For Moodle versions 2.5.9 and earlier, update to a version later than 2.5.9. For Moodle versions 2.6.x before 2.6.7, update to version 2.6.7 or later. For Moodle versions 2.7.x before 2.7.4, update to version 2.7.4 or later. For Moodle versions 2.8.x before 2.8.2, update to version 2.8.2 or later. As a temporary workaround, consider restricting access to the mod/lti/ajax.php component until a patch is available.