CVE-2014-9060 - Vulnerability Details - OpenCVE

The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle:2.5.0:::::::*
	cpe:2.3:a:moodle:moodle:2.5.1:::::::*
	cpe:2.3:a:moodle:moodle:2.5.2:::::::*
	cpe:2.3:a:moodle:moodle:2.5.3:::::::*
	cpe:2.3:a:moodle:moodle:2.5.4:::::::*
	cpe:2.3:a:moodle:moodle:2.5.5:::::::*
	cpe:2.3:a:moodle:moodle:2.5.6:::::::*
	cpe:2.3:a:moodle:moodle:2.5.7:::::::*
	cpe:2.3:a:moodle:moodle:2.5.8:::::::*
	cpe:2.3:a:moodle:moodle:2.6.0:::::::*
	cpe:2.3:a:moodle:moodle:2.6.1:::::::*
	cpe:2.3:a:moodle:moodle:2.6.2:::::::*
	cpe:2.3:a:moodle:moodle:2.6.3:::::::*
	cpe:2.3:a:moodle:moodle:2.6.4:::::::*
	cpe:2.3:a:moodle:moodle:2.6.5:::::::*
	cpe:2.3:a:moodle:moodle:2.7.0:::::::*
	cpe:2.3:a:moodle:moodle:2.7.1:::::::*
	cpe:2.3:a:moodle:moodle:2.7.2:::::::*

No data.

References

Link	Providers
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927
http://openwall.com/lists/oss-security/2014/11/17/11
http://www.securitytracker.com/id/1031215
https://moodle.org/mod/forum/discuss.php?d=275165

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-11-24T11:00:00

Updated: 2024-08-06T13:33:13.411Z

Reserved: 2014-11-24T00:00:00

Link: CVE-2014-9060

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-11-24T11:59:15.137

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-9060

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-11-17T00:00:00", "descriptions": [{"lang": "en", "value": "The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-04-29T18:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "1031215", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1031215"}, {"name": "[oss-security] 20141117 Moodle security issues are now public", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://moodle.org/mod/forum/discuss.php?d=275165"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9060", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1031215", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1031215"}, {"name": "[oss-security] 20141117 Moodle security issues are now public", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"name": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927", "refsource": "CONFIRM", "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927"}, {"name": "https://moodle.org/mod/forum/discuss.php?d=275165", "refsource": "CONFIRM", "url": "https://moodle.org/mod/forum/discuss.php?d=275165"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:33:13.411Z"}, "title": "CVE Program Container", "references": [{"name": "1031215", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1031215"}, {"name": "[oss-security] 20141117 Moodle security issues are now public", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://moodle.org/mod/forum/discuss.php?d=275165"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9060", "datePublished": "2014-11-24T11:00:00", "dateReserved": "2014-11-24T00:00:00", "dateUpdated": "2024-08-06T13:33:13.411Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "54F15A46-7242-4EAE-986E-9A7DBE7724ED", "versionEndIncluding": "2.4.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD1B5B42-ECA9-4888-B18E-AD8D282311DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "9EF03304-032C-4E85-A802-7CDAC89216FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "311BEFF3-A58A-4CA8-BE09-F8D081EA13A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "D7D2A1F8-82FF-4C1A-A872-71D93874EEAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "86E79BB0-6017-441C-9B10-00E55FDF0986", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "CA845882-C0F4-4522-94B2-9AA21A08887A", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*", "matchCriteriaId": "48F341A8-0AC8-4033-8C99-0249B7289F9E", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "4CE1A520-762B-4A35-8075-ED4ECA0A1CB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*", "matchCriteriaId": "9803CBE2-80A6-47EB-A782-CC8F1E66FBD9", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "05112EC5-3AAA-499B-8763-345187529C09", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "71407960-077B-4407-B249-789436687D91", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "72728F94-D408-4CAD-A214-800B1D1C7971", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "33C1E9B5-6B2B-4230-92F2-EC0FB307ECF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "6925A366-37EB-41ED-85C8-B56D6A93D4EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "A6400F9D-9654-444F-9EBB-0F73025AD744", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "4E051AAC-EB40-491F-AF0E-EE8143C12567", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "FADBE87F-1855-453B-B958-0CB8A7908A06", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "1B53A7D2-BDA2-4185-97C3-977A04876A37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php."}, {"lang": "es", "value": "El m\u00f3dulo LTI en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no restringe debidamente los par\u00e1metros utilizados en una URL de retorno, lo que permite a atacantes remotos provocar la generaci\u00f3n de mensajes arbitrarios a trav\u00e9s de una URL modificada, relacionado con mod/lti/locallib.php and mod/lti/return.php."}], "id": "CVE-2014-9060", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-11-24T11:59:15.137", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927"}, {"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1031215"}, {"source": "cve@mitre.org", "url": "https://moodle.org/mod/forum/discuss.php?d=275165"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1031215"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://moodle.org/mod/forum/discuss.php?d=275165"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}