Danbardo

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.7.2 and earlier **Description** The issue allows authenticated users, such as those with a Teacher role or above, to inject JavaScript into another user's session, including enrolled students or site administrators, via the `introeditor[text]` parameter in the `/course/modedit.php` endpoint. There is a disagreement between the discoverer and the vendor regarding the expectation of trust for users authenticated as Teachers to add arbitrary JavaScript, as this ability is not documented on Moodle's Teacher role page. **Recommendations** For Moodle versions 3.7.2 and earlier, as a temporary workaround, consider disabling the ability for Teachers to edit course modules or restrict access to the `/course/modedit.php` endpoint until a resolution is provided. Avoid using the `introeditor[text]` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.