| Topic: | Email could be changed in profile without confirmation |
| Severity: | Major |
| Versions affected: | < 1.8.6, <1.9.2 |
| Reported by: | multiple external reports |
| Issue no.: | MDL-13811 |
| Solution: | upgrade to 1.9.2 or 1.8.6. Patch is provided at |
Description:
In previous versions of Moodle, a user who is already authenticated could change their own email address without having to prove they could access that new email account. In Moodle 1.8.6 and 1.9.2 a new setting called emailchangeconfirmation (default: on) now forces all users on the site to go through a confirmation process whenever they want to change their email account. Moodle 1.6.x and 1.7.x sites have not had this new feature added yet - we highly recommend upgrading to 1.9.x if this concerns you.