Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2014-9060

The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.

Published

2014-11-24T11:59:15.137

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 5.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

10.0

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-20
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application moodle moodle ≤ 2.4.11 Yes
Application moodle moodle 2.5.0 Yes
Application moodle moodle 2.5.1 Yes
Application moodle moodle 2.5.2 Yes
Application moodle moodle 2.5.3 Yes
Application moodle moodle 2.5.4 Yes
Application moodle moodle 2.5.5 Yes
Application moodle moodle 2.5.6 Yes
Application moodle moodle 2.5.7 Yes
Application moodle moodle 2.5.8 Yes
Application moodle moodle 2.6.0 Yes
Application moodle moodle 2.6.1 Yes
Application moodle moodle 2.6.2 Yes
Application moodle moodle 2.6.3 Yes
Application moodle moodle 2.6.4 Yes
Application moodle moodle 2.6.5 Yes
Application moodle moodle 2.7.0 Yes
Application moodle moodle 2.7.1 Yes
Application moodle moodle 2.7.2 Yes
References