Moodle is vulnerable to cross-site request forgery (CSRF) attacks. The application does not check the session key in mod/lti/request_tool.php
and mod/lti/instructor_edit_tool_type.php
, allowing a malicious user to hijack authentication of an arbitrary user.