Yes, if you provide hosting for Moodle sites and you don't trust Moodle admin users, you must upgrade Moodle ASAP or, as a workaround, you can specify in config.php either SMTP host
or noreply/support email.
If you have self-hosted site and admin of the site is already an admin on the server
, such admins do not need to exploit this vulnerability as they can execute any code on the server anyway. This includes situations when Moodle admin is the same person who can ssh/ftp
to the server.
I also would like to point out that if plugin installation is enabled on the Moodle site (by both config and writable directories permissions), Moodle admins are already trusted to execute anything they want on the server. Also when we say that code will be executed on the server keep in mind that the user executing it will be the web user and hopefully the server is set up properly and this user can not do too much harm to the server.
I actually wanted to mark this security issue as "Minor" but some my colleagues convinced me that it could be serious in some situations. Some institutions have multiple admins, for example, and not all of them can ssh/ftp directly. But again, if these admins are not trusted they can already do lots of harm to the Moodle site, the only difference in this case is that they can also do some harm to the server. MoodleCloud
would be the good example of the serious vulnerability case - admins are just random people who can set up an empty Moodle site and try to attack the server. However https://moodlecloud.com
was not affected as it uses SMTP and not phpmailer.
Vulnerability inside phpmailer itself is very serious but Moodle already properly validates/escapes/quotes all user-specified emails and names and the only affected area was the admin setting of noreply/support email.