CVE-2012-0795
Description
Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 does not validate e-mail address settings, which allows remote authenticated users to have an unspecified impact via a crafted address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
28cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.13:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.14:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.15:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.0:*:*:*:*:*:*:*
- (no CPE)range: <2.2.1
Patches
Vulnerability mechanics
Root cause
"Missing input validation and output escaping on user-supplied email and Jabber messaging preferences."
Attack vector
A remote authenticated user can set a crafted email address or Jabber ID in their messaging preferences. Because the email address was not sanitized with `clean_param(..., PARAM_EMAIL)` before being used in `send_message()`, an attacker could cause the system to send messages to arbitrary or malformed addresses [CWE-20]. Additionally, the unescaped output in `config_form()` could lead to reflected cross-site scripting (XSS) if a malicious value is stored and later rendered in the preferences form [patch_id=6650973][patch_id=6650974].
Affected code
The vulnerability resides in `message/output/email/message_output_email.php` and `message/output/jabber/message_output_jabber.php`. In the email output plugin, the `send_message()` function did not sanitize the user's messaging preference email address before using it, and the `config_form()` function did not validate the email address or escape output. In the Jabber output plugin, the `config_form()` function did not escape the Jabber ID before rendering it in an HTML input value attribute.
What the fix does
The patches address two issues. First, in `send_message()`, the email preference is now sanitized via `clean_param($emailmessagingpreference, PARAM_EMAIL)` before being used, preventing delivery to invalid addresses [patch_id=6650975]. Second, in `config_form()`, the email and Jabber ID values are escaped with `s()` before being output in HTML, preventing XSS [patch_id=6650973][patch_id=6650974]. Additionally, `validate_email()` is called to detect invalid addresses and display an error message, and the input field is built using `html_writer::empty_tag()` for safer attribute handling [patch_id=6650976][patch_id=6650978].
Preconditions
- authAttacker must be an authenticated Moodle user with the ability to set messaging preferences.
- inputThe crafted email address or Jabber ID is stored in the user's messaging preferences.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.