| Description: | By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker. |
| Issue summary: | User firstname/lastname not sanitized when sending emails |
| Severity/Risk: | Minor |
| Versions affected: | 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12, 2.7 to 2.7.14 and earlier unsupported versions |
| Versions fixed: | 3.1.1, 3.0.5, 2.9.7 and 2.7.15 |
| Reported by: | Pierre Guinoiseau |
| Issue no.: | MDL-55069 |
| Workaround: | Temporary prohibit users from editing their first and last names until the fix is applied |
| CVE identifier: | CVE-2016-5013 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55069 |