There are at least two configurations of Drupal core that can lead to situations where the e-mail address of a user is not a valid nor confirmed address.
If another module outside of core allows for similar situations it is not considered a security vulnerability.
Modules should, however, implement flood control to prevent broad abuse of these situations.
1. Immediate registration without validation of e-mail
Drupal 6 and 7 allow site administrators to configure their site to allow access to users immediately after they register. This doesn't require validation of the e-mail address so a malicious user could register on a site using the address of someone they wish to send unsolicited e-mails. They could register a second time and use that second user to send contact messages to the first user account. The could then use a second issue to send yet more mails.
2. Registered users can change their e-mail without verifying the new address
This issue affects Drupal core in 6 and 7. Users can register, whether or not registration requires verification of the email address, and then change their e-mail address after the fact without having to verify the address.
This could be used in a similar manner to the first issue.