Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request.
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924
openwall.com/lists/oss-security/2014/11/17/11
github.com/moodle/moodle
github.com/moodle/moodle/commit/48ea41c48f3dcf28fb40fe0b0a1f0c4c0453d34d
github.com/moodle/moodle/commit/75d7e25198eeb6255963e2e46212d89b14e05dd7
github.com/moodle/moodle/commit/babaf596e10ee525e58314b36f8063c65b59aa7d
github.com/moodle/moodle/commit/bac38b11ab95862a831c6e6e60c03caf64eda599
moodle.org/mod/forum/discuss.php?d=275162
nvd.nist.gov/vuln/detail/CVE-2014-7836
web.archive.org/web/20150914064838/www.securitytracker.com/id/1031215