Description
access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback.
Remediation
References
Related Vulnerabilities
Drupal Core 4.5.x Session Fixation (4.5.0 - 4.5.7)
WordPress Plugin FireStorm Professional Real Estate Multiple SQL Injection Vulnerabilities (2.05.01)
WordPress Plugin WP Featured Post with thumbnail 'src' Parameter Cross-Site Scripting (3.0)
Moodle CVE-2023-5543 Vulnerability (CVE-2023-5543)
SharePoint Deserialization of Untrusted Data Vulnerability (CVE-2024-38023)