Description
access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback.
Remediation
References
Related Vulnerabilities
WordPress Plugin Virtual Robots.txt Cross-Site Scripting (1.9)
WordPress Plugin Advanced Booking Calendar SQL Injection (1.6.1)
Hesk Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3743)
WordPress Plugin Simple Membership Cross-Site Scripting (3.5.6)
WordPress Plugin ReviewX-Multi-criteria Rating & Reviews for WooCommerce SQL Injection (1.6.8)