Description
access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback.
Remediation
References
Related Vulnerabilities
MySQL CVE-2018-2846 Vulnerability (CVE-2018-2846)
Zope Web Application Server Other Vulnerability (CVE-2006-3458)
WordPress Plugin Widgets for SiteOrigin Security Bypass (1.4.2)
Magento Improper Input Validation Vulnerability (CVE-2015-6497)
WordPress Plugin OneLogin SAML SSO Unspecified Vulnerability (2.1.8)