Security announcements

MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script

 
Picture of Marina Glancy
MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script
 

Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed


Severity/Risk: Serious
Versions affected: 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions
Versions fixed: 3.4.2, 3.3.5, 3.2.8 and 3.1.11
Reported by: Brendan Cox
CVE identifier: CVE-2018-1081
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392
Tracker issue: MDL-61392 Unauthenticated users can trigger custom messages to admin via paypal enrol script