Unauthorized Message Triggering in Moodle by Users
CVE-2018-1081

5.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Moodle
Vendor: CVE Published:; 4 April 2018

What is CVE-2018-1081?

A vulnerability in Moodle allows unauthenticated users to exploit the PayPal enrolment script, leading to spam messages sent to administrators. The issue arises when the PayPal IPN callback script forwards error emails to admins without verifying the request's origin, potentially flooding their inboxes with unwanted messages. This flawed implementation in versions 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10, and earlier unsupported versions poses a significant risk to administrators, emphasizing the importance of validating requests before processing notifications.

Affected Version(s)

Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions

References

https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st...

x_refsource_CONFIRM

https://moodle.org/mod/forum/discuss.php?d=367938

x_refsource_CONFIRM

http://www.securityfocus.com/bid/103728

vdb-entryx_refsource_BID

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2018
Vulnerability Reserved
Dec 4, 2017

Red Hat

What is CVE-2018-1081?

Affected Version(s)

References

CVSS V3.1

Timeline