Jordan Tomkinson

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.10 to 3.10.3 Moodle versions 3.9 to 3.9.6 Moodle versions 3.8 to 3.8.8 Moodle versions prior to 3.8 **Description** The issue arises from insufficient sanitizing of user-provided data in the LTI authorization endpoint, leading to reflected XSS and open redirect risks. This could allow a remote attacker to perform cross-site scripting attacks. **Recommendations** For versions 3.10 to 3.10.3, update to a version that includes the necessary sanitizing of the redirect URI in the LTI authorization endpoint. For versions 3.9 to 3.9.6, update to a version that includes the necessary sanitizing of the redirect URI in the LTI authorization endpoint. For versions 3.8 to 3.8.8, update to a version that includes the necessary sanitizing of the redirect URI in the LTI authorization endpoint. For versions prior to 3.8, update to a version that includes the necessary sanitizing of the redirect URI in the LTI authorization endpoint.

Name of the Vulnerable Software and Affected Versions: Moodle versions 3.x Description: The issue allows the setting for blocked hosts list to be bypassed using multiple A record hostnames. Recommendations: For Moodle versions 3.x, consider restricting the use of multiple A record hostnames to minimize the risk of bypassing the blocked hosts list setting until a patch is available.