Damyon Wiese

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.8.x through 2.8.1 **Description** The issue allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback. This is due to the failure to set the RISK XSS bit for graders in the access.php file of the Lesson module. The exploitation of this issue may enable a remote attacker to perform cross-site scripting using the feedback form. **Recommendations** For Moodle versions 2.8.x through 2.8.1, update to version 2.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Lesson module's essay feedback feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.7.x through 2.7.2 **Description** The issue allows remote authenticated users to obtain sensitive information by accessing the get grades web service, leveraging the student role. This occurs because the `lib/classes/grades external.php` file does not consider the `moodle/grade:viewhidden` capability before displaying hidden grades. **Recommendations** For Moodle versions 2.7.x through 2.7.2, update to version 2.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the get grades web service for users with the student role until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.3.11 and earlier Moodle versions 2.4.x through 2.4.9 Moodle versions 2.5.x through 2.5.5 Moodle versions 2.6.x through 2.6.2 **Description** The issue allows remote authenticated users to de-anonymize student identities. This can be achieved by either using a screen reader or reading the HTML source. **Recommendations** For Moodle version 2.3.11 and earlier, update to version 2.4.10 or later. For Moodle versions 2.4.x through 2.4.9, update to version 2.4.10 or later. For Moodle versions 2.5.x through 2.5.5, update to version 2.5.6 or later. For Moodle versions 2.6.x through 2.6.2, update to version 2.6.3 or later.