Description
access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2006-3705 Vulnerability (CVE-2006-3705)
WordPress Plugin EZP Coming Soon Page Cross-Site Scripting (1.0.0)
WordPress Plugin CBI Referral Manager Cross-Site Scripting (1.2.1)
WordPress Plugin WordPress Shortcodes-Shortcodes Ultimate Remote Code Execution (5.0.0)
MyBB Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2018-7305)