In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.