MSA-16-0020: Text injection in email headers

by Marina Glancy.  

Description:By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker.
Issue summary:User firstname/lastname not sanitized when sending emails
Versions affected:3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12, 2.7 to 2.7.14 and earlier unsupported versions
Versions fixed:3.1.1, 3.0.5, 2.9.7 and 2.7.15
Reported by:Pierre Guinoiseau
Issue no.:MDL-55069
Workaround:Temporary prohibit users from editing their first and last names until the fix is applied
CVE identifier:CVE-2016-5013
Changes (master):

Read more