Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.
|Versions affected:||3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versions|
|Versions fixed:||3.6.3, 3.5.5 and 3.4.8|
|Reported by:||Brendan Cox|
|Tracker issue:||MDL-62702 Users could elevate their role when accessing the LTI tool on a provider site|