Lucene search

[email protected]CVE-2018-1081

HistoryApr 04, 2018 - 9:29 p.m.

CVE-2018-1081

2018-04-0421:29:00

CWE-79

[email protected]

web.nvd.nist.gov

moodle

flaw

security

unauthenticated

paypal

enrol script

admin

ipn

callback

nvd

cve-2018-1081

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.5%

JSON

A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.

Affected configurations

Vulners

NVD

Node

red_hat\,_inc.moodleRange3.4–3.4.1

red_hat\,_inc.moodleRange3.3–3.3.4

red_hat\,_inc.moodleRange3.2–3.2.7

red_hat\,_inc.moodleRange3.1–3.1.10

CPENameOperatorVersion
moodle:moodlemoodlele3.0.10
moodle:moodlemoodlele3.1.10
moodle:moodlemoodlele3.2.7
moodle:moodlemoodlele3.3.4
moodle:moodlemoodlele3.4.1

CPE	Name	Operator	Version
moodle:moodle	moodle	le	3.0.10
moodle:moodle	moodle	le	3.1.10
moodle:moodle	moodle	le	3.2.7
moodle:moodle	moodle	le	3.3.4
moodle:moodle	moodle	le	3.4.1

CNA Affected

[
  {
    "product": "Moodle",
    "vendor": "Red Hat, Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions"
      }
    ]
  }
]