Martin Greenaway

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.6.11 Moodle versions 2.7.x before 2.7.9 Moodle versions 2.8.x before 2.8.7 Moodle versions 2.9.x before 2.9.1 **Description** The SCORM module in Moodle contains multiple cross-site scripting (XSS) vulnerabilities due to the lack of protection of the web page structure. This allows a remote attacker to inject arbitrary web script or HTML via a crafted organization name to the "mod/scorm/player.php" or "mod/scorm/prereqs.php" API endpoints. **Recommendations** For versions prior to 2.6.11, update to version 2.6.11 or later. For versions 2.7.x before 2.7.9, update to version 2.7.9 or later. For versions 2.8.x before 2.8.7, update to version 2.8.7 or later. For versions 2.9.x before 2.9.1, update to version 2.9.1 or later. As a temporary workaround, consider restricting access to the "mod/scorm/player.php" and "mod/scorm/prereqs.php" API endpoints until a patch is available.