|Topic:||Email could be changed in profile without confirmation|
|Versions affected:||< 1.8.6, <1.9.2|
|Reported by:||multiple external reports|
|Solution:||upgrade to 1.9.2 or 1.8.6. Patch is provided at
Description:In previous versions of Moodle, a user who is already authenticated could change their own email address without having to prove they could access that new email account. In Moodle 1.8.6 and 1.9.2 a new setting called emailchangeconfirmation (default: on) now forces all users on the site to go through a confirmation process whenever they want to change their email account. Moodle 1.6.x and 1.7.x sites have not had this new feature added yet - we highly recommend upgrading to 1.9.x if this concerns you.