Vulnerability Description
A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | <= 3.0.10 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/103728Third Party AdvisoryVDB Entry
- https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392PatchVendor Advisory
- https://moodle.org/mod/forum/discuss.php?d=367938Vendor Advisory
- http://www.securityfocus.com/bid/103728Third Party AdvisoryVDB Entry
- https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392PatchVendor Advisory
- https://moodle.org/mod/forum/discuss.php?d=367938Vendor Advisory
FAQ
What is CVE-2018-1081?
CVE-2018-1081 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script....
How severe is CVE-2018-1081?
CVE-2018-1081 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1081?
Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.