PT-2018-10119 · Moodle · Moodle
Brendan Cox
·
Published
2018-04-04
·
Updated
2022-05-13
·
CVE-2018-1081
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Moodle versions 3.1 through 3.1.10
Moodle versions 3.2 through 3.2.7
Moodle versions 3.3 through 3.3.4
Moodle versions 3.4 through 3.4.1
Description
A flaw was found that allows unauthenticated users to trigger custom messages to admins via the paypal enrol script. The paypal IPN callback script fails to verify the request origin before sending error emails to admins, which can lead to admin email spamming.
Recommendations
For Moodle versions 3.1 through 3.1.10, update the paypal IPN callback script to verify the request origin before sending error emails to admins.
For Moodle versions 3.2 through 3.2.7, update the paypal IPN callback script to verify the request origin before sending error emails to admins.
For Moodle versions 3.3 through 3.3.4, update the paypal IPN callback script to verify the request origin before sending error emails to admins.
For Moodle versions 3.4 through 3.4.1, update the paypal IPN callback script to verify the request origin before sending error emails to admins.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Moodle