Vulnerabilities > CVE-2018-1081 - Unspecified vulnerability in Moodle
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.
Vulnerable Configurations
Nessus
NASL family | FreeBSD Local Security Checks |
NASL id | FREEBSD_PKG_CDB4D96234F911E892DB080027907385.NASL |
description | moodle reports : Unauthenticated users can trigger custom messages to admin via paypal enrol script. Suspended users with OAuth 2 authentication method can still log in to the site. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 108781 |
published | 2018-04-02 |
reporter | This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/108781 |
title | FreeBSD : moodle -- multiple vulnerabilities (cdb4d962-34f9-11e8-92db-080027907385) |
References
- http://www.securityfocus.com/bid/103728
- http://www.securityfocus.com/bid/103728
- https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392
- https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392
- https://moodle.org/mod/forum/discuss.php?d=367938
- https://moodle.org/mod/forum/discuss.php?d=367938