mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921
openwall.com/lists/oss-security/2014/11/17/11
github.com/moodle/moodle
github.com/moodle/moodle/commit/263f78b8b804fe7dbcd6ffadcadad2c94a0093f7
github.com/moodle/moodle/commit/8e34d8e85b971a01459797799c0696cfeaae9cc0
github.com/moodle/moodle/commit/c844af2569e972195db8bca683c1fdf2ddbc3a59
github.com/moodle/moodle/commit/fe8430e0dc2a50ea8e03d709e95d1226631d0d52
moodle.org/mod/forum/discuss.php?d=275154
nvd.nist.gov/vuln/detail/CVE-2014-7832
web.archive.org/web/20150914064838/www.securitytracker.com/id/1031215