Moderate severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026

CVE-2015-0211

Description

mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	< 2.6.7	2.6.7
moodle/moodlePackagist	>= 2.7.0, < 2.7.4	2.7.4
moodle/moodlePackagist	>= 2.8.0, < 2.8.2	2.8.2

Affected products

Moodle/Moodle22 versions
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.5.9
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*

Patches

da4c33f510aa

MDL-47920 mod_lti: add capability checks, http headers

https://github.com/moodle/moodleJetha ChanNov 12, 2014via ghsa

commit

1 file changed · +13 −3

mod/lti/ajax.php+13 −3 modified

@@ -26,11 +26,13 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  * @author     Chris Scribner
  */
+define('AJAX_SCRIPT', true);
 
 require_once(dirname(__FILE__) . "/../../config.php");
 require_once($CFG->dirroot . '/mod/lti/locallib.php');
 
 $courseid = required_param('course', PARAM_INT);
+$context = context_course::instance($courseid);
 
 require_login($courseid, false);
 
@@ -43,15 +45,18 @@
         $toolurl = required_param('toolurl', PARAM_RAW);
         $toolid = optional_param('toolid', 0, PARAM_INT);
 
+        require_capability('moodle/course:manageactivities', $context);
+        require_capability('mod/lti:addinstance', $context);
+
         if (empty($toolid) && !empty($toolurl)) {
             $tool = lti_get_tool_by_url_match($toolurl, $courseid);
 
             if (!empty($tool)) {
                 $toolid = $tool->id;
 
                 $response->toolid = $tool->id;
-                $response->toolname = htmlspecialchars($tool->name);
-                $response->tooldomain = htmlspecialchars($tool->tooldomain);
+                $response->toolname = s($tool->name);
+                $response->tooldomain = s($tool->tooldomain);
             }
         } else {
             $response->toolid = $toolid;
@@ -68,14 +73,19 @@
             ';
 
             $privacyconfigs = $DB->get_records_sql($query, array('typeid' => $toolid));
+            $success = count($privacyconfigs) > 0;
             foreach ($privacyconfigs as $config) {
                 $configname = $config->name;
                 $response->$configname = $config->value;
             }
+            if (!$success) {
+                $response->error = s(get_string('tool_config_not_found', 'mod_lti'));
+            }
         }
+
         break;
 }
-
+echo $OUTPUT->header();
 echo json_encode($response);
 
 die;

faf0cd909851

MDL-47920 mod_lti: add capability checks, http headers

https://github.com/moodle/moodleJetha ChanNov 12, 2014via ghsa

commit

1 file changed · +13 −3

mod/lti/ajax.php+13 −3 modified

@@ -26,11 +26,13 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  * @author     Chris Scribner
  */
+define('AJAX_SCRIPT', true);
 
 require_once(dirname(__FILE__) . "/../../config.php");
 require_once($CFG->dirroot . '/mod/lti/locallib.php');
 
 $courseid = required_param('course', PARAM_INT);
+$context = context_course::instance($courseid);
 
 require_login($courseid, false);
 
@@ -43,15 +45,18 @@
         $toolurl = required_param('toolurl', PARAM_RAW);
         $toolid = optional_param('toolid', 0, PARAM_INT);
 
+        require_capability('moodle/course:manageactivities', $context);
+        require_capability('mod/lti:addinstance', $context);
+
         if (empty($toolid) && !empty($toolurl)) {
             $tool = lti_get_tool_by_url_match($toolurl, $courseid);
 
             if (!empty($tool)) {
                 $toolid = $tool->id;
 
                 $response->toolid = $tool->id;
-                $response->toolname = htmlspecialchars($tool->name);
-                $response->tooldomain = htmlspecialchars($tool->tooldomain);
+                $response->toolname = s($tool->name);
+                $response->tooldomain = s($tool->tooldomain);
             }
         } else {
             $response->toolid = $toolid;
@@ -68,14 +73,19 @@
             ';
 
             $privacyconfigs = $DB->get_records_sql($query, array('typeid' => $toolid));
+            $success = count($privacyconfigs) > 0;
             foreach ($privacyconfigs as $config) {
                 $configname = $config->name;
                 $response->$configname = $config->value;
             }
+            if (!$success) {
+                $response->error = s(get_string('tool_config_not_found', 'mod_lti'));
+            }
         }
+
         break;
 }
-
+echo $OUTPUT->header();
 echo json_encode($response);
 
 die;

52555c36989b

MDL-47920 mod_lti: add capability checks, http headers

https://github.com/moodle/moodleJetha ChanNov 12, 2014via ghsa

commit

1 file changed · +15 −5

mod/lti/ajax.php+15 −5 modified

@@ -24,11 +24,13 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  * @author     Chris Scribner
  */
+define('AJAX_SCRIPT', true);
 
 require_once(dirname(__FILE__) . "/../../config.php");
 require_once($CFG->dirroot . '/mod/lti/locallib.php');
 
 $courseid = required_param('course', PARAM_INT);
+$context = context_course::instance($courseid);
 
 require_login($courseid, false);
 
@@ -41,15 +43,18 @@
         $toolurl = required_param('toolurl', PARAM_RAW);
         $toolid = optional_param('toolid', 0, PARAM_INT);
 
-        if(empty($toolid) && !empty($toolurl)){
+        require_capability('moodle/course:manageactivities', $context);
+        require_capability('mod/lti:addinstance', $context);
+
+        if (empty($toolid) && !empty($toolurl)) {
             $tool = lti_get_tool_by_url_match($toolurl, $courseid);
 
             if(!empty($tool)){
                 $toolid = $tool->id;
 
                 $response->toolid = $tool->id;
-                $response->toolname = htmlspecialchars($tool->name);
-                $response->tooldomain = htmlspecialchars($tool->tooldomain);
+                $response->toolname = s($tool->name);
+                $response->tooldomain = s($tool->tooldomain);
             }
         } else {
             $response->toolid = $toolid;
@@ -66,14 +71,19 @@
             ';
 
             $privacyconfigs = $DB->get_records_sql($query, array('typeid' => $toolid));
-            foreach($privacyconfigs as $config){
+            $success = count($privacyconfigs) > 0;
+            foreach ($privacyconfigs as $config) {
                 $configname = $config->name;
                 $response->$configname = $config->value;
             }
+            if (!$success) {
+                $response->error = s(get_string('tool_config_not_found', 'mod_lti'));
+            }
         }
+
         break;
 }
-
+echo $OUTPUT->header();
 echo json_encode($response);
 
 die;

fc6619d5c0bb

MDL-47920 mod_lti: add capability checks, http headers

https://github.com/moodle/moodleJetha ChanNov 12, 2014via ghsa

commit

1 file changed · +15 −5

mod/lti/ajax.php+15 −5 modified

@@ -24,11 +24,13 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  * @author     Chris Scribner
  */
+define('AJAX_SCRIPT', true);
 
 require_once(dirname(__FILE__) . "/../../config.php");
 require_once($CFG->dirroot . '/mod/lti/locallib.php');
 
 $courseid = required_param('course', PARAM_INT);
+$context = context_course::instance($courseid);
 
 require_login($courseid, false);
 
@@ -41,15 +43,18 @@
         $toolurl = required_param('toolurl', PARAM_RAW);
         $toolid = optional_param('toolid', 0, PARAM_INT);
 
-        if(empty($toolid) && !empty($toolurl)){
+        require_capability('moodle/course:manageactivities', $context);
+        require_capability('mod/lti:addinstance', $context);
+
+        if (empty($toolid) && !empty($toolurl)) {
             $tool = lti_get_tool_by_url_match($toolurl, $courseid);
 
             if(!empty($tool)){
                 $toolid = $tool->id;
 
                 $response->toolid = $tool->id;
-                $response->toolname = htmlspecialchars($tool->name);
-                $response->tooldomain = htmlspecialchars($tool->tooldomain);
+                $response->toolname = s($tool->name);
+                $response->tooldomain = s($tool->tooldomain);
             }
         } else {
             $response->toolid = $toolid;
@@ -66,14 +71,19 @@
             ';
 
             $privacyconfigs = $DB->get_records_sql($query, array('typeid' => $toolid));
-            foreach($privacyconfigs as $config){
+            $success = count($privacyconfigs) > 0;
+            foreach ($privacyconfigs as $config) {
                 $configname = $config->name;
                 $response->$configname = $config->value;
             }
+            if (!$success) {
+                $response->error = s(get_string('tool_config_not_found', 'mod_lti'));
+            }
         }
+
         break;
 }
-
+echo $OUTPUT->header();
 echo json_encode($response);
 
 die;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-frhc-9hwc-x7j3ghsaADVISORY
moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2015-0211ghsaADVISORY
openwall.com/lists/oss-security/2015/01/19/1nvdWEB
github.com/moodle/moodle/commit/52555c36989b6704550ed0b3c6e832f5e7e150b7ghsaWEB
github.com/moodle/moodle/commit/da4c33f510aabc0d7443c29a7c097cfd54b6c4a4ghsaWEB
github.com/moodle/moodle/commit/faf0cd9098517cd6274219b58f6f4a278d26455dghsaWEB
github.com/moodle/moodle/commit/fc6619d5c0bb297e6736880ff5353bb668048002ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000