CVE-2018-1081
MEDIUMMoodle < 3.0.10, 3.1-3.1.10 - Unauthenticated Email Spam via PayPal IPN Callback
Title source: llmDescription
A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103728
Patch, Vendor Advisory x_refsource_confirm
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=367938
Scores
CVSS v3
5.3
EPSS
0.0093
EPSS Percentile
76.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
moodle/moodle
< 3.0.10
moodle/moodle
3.1 - 3.1.11Packagist
Published
Apr 04, 2018
Tracked Since
Feb 18, 2026