Mike Evans

**Name of the Vulnerable Software and Affected Versions** Moodle versions 1.9.x through 1.9.14 Moodle versions 2.0.x through 2.0.5 Moodle versions 2.1.x through 2.1.2 Moodle version 2.2 **Description** The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors involving the `url` variable. This is a CRLF injection vulnerability in the calendar/set.php file in the Calendar component. **Recommendations** For Moodle versions 1.9.x through 1.9.14, update to version 1.9.15 or later. For Moodle versions 2.0.x through 2.0.5, update to version 2.0.6 or later. For Moodle versions 2.1.x through 2.1.2, update to version 2.1.3 or later. For Moodle version 2.2, update to a version that includes the fix for this issue, as version 2.2 is affected but no specific fixed version is mentioned in the provided data.