Main Vulnerability Database Vulnerabilities #VU43851

Code Injection in Moodle - CVE-2012-0796

Published: July 17, 2012 / Updated: August 11, 2020

Vulnerability identifier: #VU43851

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2012-0796

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: moodle.org

Affected software:
Moodle

Detailed vulnerability description

The vulnerability allows a remote #AU# to manipulate data.

class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header.

How to mitigate CVE-2012-0796

Install update from vendor's website.

Sources

http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9
http://moodle.org/mod/forum/discuss.php?d=194015
http://www.debian.org/security/2012/dsa-2421
https://bugzilla.redhat.com/show_bug.cgi?id=783532

Code Injection in Moodle - CVE-2012-0796

Detailed vulnerability description

How to mitigate CVE-2012-0796

Sources

Please verify you're human