Medium severity5.4NVD Advisory· Published Jan 20, 2017· Updated May 13, 2026
CVE-2016-5013
CVE-2016-5013
Description
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.1, < 3.1.1 | 3.1.1 |
moodle/moodlePackagist | >= 3.0, < 3.0.5 | 3.0.5 |
moodle/moodlePackagist | >= 2.9, < 2.9.7 | 2.9.7 |
moodle/moodlePackagist | >= 2.8, <= 2.8.12 | — |
moodle/moodlePackagist | >= 2.7, < 2.7.15 | 2.7.15 |
Affected products
27cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 26 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.7.14
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.0:*:*:*:*:*:*:*
Patches
1ed63718caa48MDL-55069 core: escape special characters in email headers
2 files changed · +39 −4
lib/phpmailer/moodle_phpmailer.php+7 −3 modified@@ -91,11 +91,15 @@ public function addCustomHeader($custom_header, $value = null) { public function encodeHeader($str, $position = 'text') { $encoded = core_text::encode_mimeheader($str, $this->CharSet); if ($encoded !== false) { - $encoded = str_replace("\n", $this->LE, $encoded); if ($position === 'phrase') { - return ("\"$encoded\""); + // Escape special symbols in each line in the encoded string, join back together and enclose in quotes. + $chunks = preg_split("/\\n/", $encoded); + $chunks = array_map(function($chunk) { + return addcslashes($chunk, "\0..\37\177\\\""); + }, $chunks); + return '"' . join($this->LE, $chunks) . '"'; } - return $encoded; + return str_replace("\n", $this->LE, $encoded); } return parent::encodeHeader($str, $position);
lib/tests/text_test.php+32 −1 modified@@ -345,10 +345,41 @@ public function test_specialtoascii() { /** * Tests the static encode_mimeheader method. + * This also tests method moodle_phpmailer::encodeHeader that calls core_text::encode_mimeheader */ public function test_encode_mimeheader() { + global $CFG; + require_once($CFG->libdir.'/phpmailer/moodle_phpmailer.php'); + $mailer = new moodle_phpmailer(); + + // Encode short string with non-latin characters. $str = "Žluťoučký koníček"; - $this->assertSame('=?utf-8?B?xb1sdcWlb3XEjWvDvSBrb27DrcSNZWs=?=', core_text::encode_mimeheader($str)); + $encodedstr = '=?utf-8?B?xb1sdcWlb3XEjWvDvSBrb27DrcSNZWs=?='; + $this->assertSame($encodedstr, core_text::encode_mimeheader($str)); + $this->assertSame($encodedstr, $mailer->encodeHeader($str)); + $this->assertSame('"' . $encodedstr . '"', $mailer->encodeHeader($str, 'phrase')); + + // Encode short string without non-latin characters. Make sure the quotes are escaped in quoted email headers. + $latinstr = 'text"with quotes'; + $this->assertSame($latinstr, core_text::encode_mimeheader($latinstr)); + $this->assertSame($latinstr, $mailer->encodeHeader($latinstr)); + $this->assertSame('"text\\"with quotes"', $mailer->encodeHeader($latinstr, 'phrase')); + + // Encode long string without non-latin characters. + $longlatinstr = 'This is a very long text that still should not be split into several lines in the email headers because '. + 'it does not have any non-latin characters. The "quotes" and \\backslashes should be escaped only if it\'s a part of email address'; + $this->assertSame($longlatinstr, core_text::encode_mimeheader($longlatinstr)); + $this->assertSame($longlatinstr, $mailer->encodeHeader($longlatinstr)); + $longlatinstrwithslash = preg_replace(['/\\\\/', "/\"/"], ['\\\\\\', '\\"'], $longlatinstr); + $this->assertSame('"' . $longlatinstrwithslash . '"', $mailer->encodeHeader($longlatinstr, 'phrase')); + + // Encode long string with non-latin characters. + $longstr = "Неопознанная ошибка в файле C:\\tmp\\: \"Не пользуйтесь виндоуз\""; + $encodedlongstr = "=?utf-8?B?0J3QtdC+0L/QvtC30L3QsNC90L3QsNGPINC+0YjQuNCx0LrQsCDQsiDRhNCw?= + =?utf-8?B?0LnQu9C1IEM6XHRtcFw6ICLQndC1INC/0L7Qu9GM0LfRg9C50YLQtdGB?= + =?utf-8?B?0Ywg0LLQuNC90LTQvtGD0Lci?="; + $this->assertSame($encodedlongstr, $mailer->encodeHeader($longstr)); + $this->assertSame('"' . $encodedlongstr . '"', $mailer->encodeHeader($longstr, 'phrase')); } /**
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- moodle.org/mod/forum/discuss.phpnvdMitigationPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/92040nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-2hh3-jmv8-5fmxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-5013ghsaADVISORY
- github.com/moodle/moodle/commit/ed63718caa48803843a14140d8a27f04aba9c8c4ghsaWEB
- web.archive.org/web/20210123154543/http://www.securityfocus.com/bid/92040ghsaWEB
News mentions
0No linked articles in our index yet.