Moodle Improper Input Validation Vulnerability - CVE-2014-9060

The LTI module in Moodle through 2.4.11 2.5.x before 2.5.9 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL which allows remote attackers to trigger the generation of arbitrary messages via a modified URL related to mod/lti/locallib.php and mod/lti/return.php.