CVE-2018-1081
Description
Unauthenticated users can spam admin email via PayPal enrollment script in Moodle due to missing origin verification.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated users can spam admin email via PayPal enrollment script in Moodle due to missing origin verification.
Vulnerability
Moodle versions 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10, and earlier unsupported versions contain a flaw in the PayPal enrollment script. The PayPal IPN callback script sends error emails to the admin without verifying the request origin, allowing unauthenticated users to send custom messages to the admin [1].
Exploitation
An unauthenticated attacker can craft a request to the PayPal IPN callback endpoint with custom error message parameters. Since the origin is not verified, the script will send an email with the attacker-controlled content to the admin. No authentication or special network position is required [1].
Impact
The attacker can spam the admin email address with arbitrary messages, potentially leading to email inbox flooding or social engineering attacks. There is no direct impact on confidentiality or integrity of data, but it can disrupt admin operations [1].
Mitigation
The fix version is not disclosed in the available references. Users should consult the Moodle advisory and upgrade to the latest supported version to mitigate this vulnerability [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.1, < 3.1.11 | 3.1.11 |
moodle/moodlePackagist | >= 3.2, < 3.2.8 | 3.2.8 |
moodle/moodlePackagist | >= 3.3, < 3.3.5 | 3.3.5 |
moodle/moodlePackagist | >= 3.4, < 3.4.2 | 3.4.2 |
Affected products
2- Red Hat, Inc./Moodlev5Range: 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v9xq-vh72-chr4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1081ghsaADVISORY
- www.securityfocus.com/bid/103728ghsavdb-entryx_refsource_BIDWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.