A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.

Affected Packages

Packagist moodle/moodle

Affected versions: 3.1 (fixed in 3.1.11)

Packagist moodle/moodle

Affected versions: 3.2 (fixed in 3.2.8)

Packagist moodle/moodle

Affected versions: 3.3 (fixed in 3.3.5)

Packagist moodle/moodle

Affected versions: 3.4 (fixed in 3.4.2)

Related CVEs

CVE-2018-1081

Key Information

GHSA ID

GHSA-v9xq-vh72-chr4

Published

May 13, 2022 1:17 AM

Last Modified

April 23, 2024 11:41 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

moodle/moodle

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.