Flaws that can be used to bypass certain security restrictions were disovered in Moodle. Input data passed to unspecified parameters are not properly sanitised before being used to construct e-mail. The flaw can be exploited to inject arbitrary e-mail header.
The appliction does not invalidate deleted user’s session that allows attacker to bypass authentication mechanisms.
Flaws were found in versions from 2.1 to 2.1.3+, 2.2 and 2.0.6+. Users should upgrade to 2.2.1 or later, 2.1.4 or later or 2.0.7 or later.

Source: Secunia
18.01.2012