296,202
Total vulnerabilities in the database
The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.
| Software | From | Fixed in |
|---|---|---|
| moodle / moodle | 2.7.1 | 2.7.1.x |
| moodle / moodle | 2.5.1 | 2.5.1.x |
| moodle / moodle | 2.5.3 | 2.5.3.x |
| moodle / moodle | 2.5.7 | 2.5.7.x |
| moodle / moodle | 2.7.2 | 2.7.2.x |
| moodle / moodle | 2.5.5 | 2.5.5.x |
| moodle / moodle | 2.6.1 | 2.6.1.x |
| moodle / moodle | 2.5.2 | 2.5.2.x |
| moodle / moodle | - | 2.4.11.x |
| moodle / moodle | 2.5.8 | 2.5.8.x |
| moodle / moodle | 2.5.6 | 2.5.6.x |
| moodle / moodle | 2.6.5 | 2.6.5.x |
| moodle / moodle | 2.6.2 | 2.6.2.x |
| moodle / moodle | 2.7.0 | 2.7.0.x |
| moodle / moodle | 2.6.4 | 2.6.4.x |
| moodle / moodle | 2.5.4 | 2.5.4.x |
| moodle / moodle | 2.6.3 | 2.6.3.x |
| moodle / moodle | 2.5.0 | 2.5.0.x |
| moodle / moodle | 2.6.0 | 2.6.0.x |