171 matches found
CVE-2023-34831
The CVE-2023-34831 entry affects Turnitin LTI tool/plugin version 1.3, specifically the Submission Web Form. The vulnerability is HTML Injection via the id and title HTTP POST parameters used when students submit reports for similarity checks. Connected sources corroborate this HTML injection iss...
Moodle < 3.9.15 / 3.11.x < 3.11.8 / 4.0.x < 4.0.2 LTI Module Cross-Site-Scripting
Moodle is a free and open-source learning management system written in PHP. Moodle versions before 3.9.15, 3.11.x before 3.11.8 and 4.0.x before 4.0.2 suffer from a Cross-Site Scripting XSS vulnerability through the LTI module which only affects unauthenticated users. By crafting a specific HTTP...
Moodle 3.11.x < 3.11.11 Multiple Vulnerabilities
The version of Moodle installed on the remote host is 3.9.x prior to 3.9.18, 3.11.x prior to 3.11.11 or 4.0.x prior to 4.0.5. It is, therefore, affected by multiple vulnerabilities: - An information disclosure due to a user CSRF token being unnecessarily included in the URL during the redirection...
Moodle 3.9.x < 3.9.15 Multiple Vulnerabilities
The version of Moodle installed on the remote host is 3.9.x prior to 3.9.15, 3.11.x prior to 3.11.8 or 4.0.x prior to 4.0.2. It is, therefore, affected by multiple vulnerabilities: - A code injection through an omitted execution parameter elading to Remote Code Execution RCE for sites running...
Moodle 3.11.x < 3.11.8 Multiple Vulnerabilities
The version of Moodle installed on the remote host is 3.9.x prior to 3.9.15, 3.11.x prior to 3.11.8 or 4.0.x prior to 4.0.2. It is, therefore, affected by multiple vulnerabilities: - A code injection through an omitted execution parameter elading to Remote Code Execution RCE for sites running...
Moodle 3.9.x < 3.9.18 Multiple Vulnerabilities
The version of Moodle installed on the remote host is 3.9.x prior to 3.9.18, 3.11.x prior to 3.11.11 or 4.0.x prior to 4.0.5. It is, therefore, affected by multiple vulnerabilities: - An information disclosure due to a user CSRF token being unnecessarily included in the URL during the redirection...
Moodle 4.0.x < 4.0.5 Multiple Vulnerabilities
The version of Moodle installed on the remote host is 3.9.x prior to 3.9.18, 3.11.x prior to 3.11.11 or 4.0.x prior to 4.0.5. It is, therefore, affected by multiple vulnerabilities: - An information disclosure due to a user CSRF token being unnecessarily included in the URL during the redirection...
Missing Authorization
lticonsumerxblock is vulnerable to Missing Authorization. The vulnerability exists in signals.py because of the lack of security validation in the LTI Tool which allows attackers to submit scores for any LTI XBlock on the platform using the malicious LTI tool...
CVE-2023-23611
LTI Consumer XBlock implements the consumer side of the LTI specification enabling integration of third-party LTI provider tools. Versions 7.0.0 and above, prior to 7.2.2, are vulnerable to Missing Authorization. Any LTI tool that is integrated with on the Open edX platform can post a grade back...
Authorization
LTI Consumer XBlock implements the consumer side of the LTI specification enabling integration of third-party LTI provider tools. Versions 7.0.0 and above, prior to 7.2.2, are vulnerable to Missing Authorization. Any LTI tool that is integrated with on the Open edX platform can post a grade back...
PYSEC-2023-21
LTI Consumer XBlock implements the consumer side of the LTI specification enabling integration of third-party LTI provider tools. Versions 7.0.0 and above, prior to 7.2.2, are vulnerable to Missing Authorization. Any LTI tool that is integrated with on the Open edX platform can post a grade back...
CVE-2023-23611
The CVE-2023-23611 entry concerns the LTI Consumer XBlock for Open edX. Affected: LTI Consumer XBlock versions 7.0.0 and above, before 7.2.2. Issue: Missing Authorization allows any integrated LTI tool to post grades for any LTI XBlock by guessing the block location via the resource_link_id, comp...
CVE-2023-23611 xblock-lti-consumer contain Missing Authorization in Grade Pass Back Implementation
LTI Consumer XBlock implements the consumer side of the LTI specification enabling integration of third-party LTI provider tools. Versions 7.0.0 and above, prior to 7.2.2, are vulnerable to Missing Authorization. Any LTI tool that is integrated with on the Open edX platform can post a grade back...
CVE-2023-23611 xblock-lti-consumer contain Missing Authorization in Grade Pass Back Implementation
LTI Consumer XBlock implements the consumer side of the LTI specification enabling integration of third-party LTI provider tools. Versions 7.0.0 and above, prior to 7.2.2, are vulnerable to Missing Authorization. Any LTI tool that is integrated with on the Open edX platform can post a grade back...
Cengage LTI Session Management Leakage
Prior to December 10, 2022, Cengage, an education technology provider in use in many higher education environments primarily in the United States, had two issues in the way it handled session management over its Learning Tools Integration LTI pipeline. The first issue involves leaving unexpectedl...
Moodle < 3.9.18, 3.11.x < 3.11.11, 4.x < 4.0.5 Multiple Vulnerabilities
Moodle is prone to multiple vulnerabilities. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Server-side Request Forgery (SSRF)
moodle/moodle is vulnerable to server-side request forgery. An attacker can make HTTP requests to untrusted URLs through the send function of HTTPMessage.php and gain access to sensitive information through the LTI provider library...
Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library
A blind Server-Side Request Forgery SSRF vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a...
GHSA-XQCF-VGQC-PCMG Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library
A blind Server-Side Request Forgery SSRF vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a...
CVE-2022-45152
A blind Server-Side Request Forgery SSRF vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a...