Description
access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback.
Remediation
References
Related Vulnerabilities
WordPress Plugin Add Custom Link to WordPress Admin Bar Cross-Site Scripting (1.0)
phpMyFAQ Uncaught Exception Vulnerability (CVE-2023-0790)
Drupal Core 9.0.x Multiple Cross-Site Scripting Vulnerabilities (9.0.0 - 9.0.5)
Oracle JRE CVE-2022-21294 Vulnerability (CVE-2022-21294)
WordPress Plugin Track That Stat 'data' Parameter Cross-Site Scripting (1.0.8)