Lucas Gomes

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.9.7 through 3.11.10 Moodle versions 3.10.4 **Description** The issue is related to the lack of protection for the web page structure in Moodle, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. Specifically, in certain Moodle products, after creating a course, it is possible to add a resource to an arbitrary "Topic", in this case, a "Database" with the type "Text", where the `Field name` and `Field description` values are vulnerable to stored XSS. **Recommendations** For Moodle versions 3.9.7, update to a version later than 3.9.7. For Moodle versions 3.10.4, update to a version later than 3.10.4. For Moodle versions 3.11.x prior to 3.11.10, update to version 3.11.10 or later. As a temporary workaround, consider restricting access to the "Database" resource with the type "Text" in arbitrary "Topics" until a patch is available. Avoid using the `Field name` and `Field description` values in the affected "Database" resource until the issue is resolved.