Simon Coggins

**Name of the Vulnerable Software and Affected Versions** Flowplayer Flash versions prior to 3.2.17 Moodle versions prior to 2.3.11 Moodle versions 2.4.x prior to 2.4.9 Moodle versions 2.5.x prior to 2.5.5 Moodle versions 2.6.x prior to 2.6.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML by providing a crafted `playerId` or referencing an external domain. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For Flowplayer Flash versions prior to 3.2.17, update to version 3.2.17 or later. For Moodle versions prior to 2.3.11, update to version 2.3.11 or later. For Moodle versions 2.4.x prior to 2.4.9, update to version 2.4.9 or later. For Moodle versions 2.5.x prior to 2.5.5, update to version 2.5.5 or later. For Moodle versions 2.6.x prior to 2.6.2, update to version 2.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.2.x through 2.2.6 Moodle versions 2.3.x through 2.3.3 Moodle versions 2.4.x through 2.4.0 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via vectors related to several API endpoints, including "backup/backupfilesedit.php", "comment/comment post.php", "course/switchrole.php", "mod/wiki/filesedit.php", "tag/coursetags add.php", and "user/files.php". **Recommendations** For Moodle versions 2.2.x through 2.2.6, update to version 2.2.7 or later. For Moodle versions 2.3.x through 2.3.3, update to version 2.3.4 or later. For Moodle versions 2.4.x through 2.4.0, update to version 2.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 1.9.x through 1.9.17 **Description** A cross-site scripting issue exists due to insufficient input validation in the blog implementation. This allows remote attackers to inject arbitrary web script or HTML via a crafted parameter to the "blog/index.php" endpoint, specifically when using Internet Explorer. **Recommendations** For Moodle versions 1.9.x through 1.9.17, update to version 1.9.18 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 1.9.x through 1.9.17 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via a crafted calendar event in the calendar implementation. **Recommendations** For Moodle versions 1.9.x through 1.9.17, update to version 1.9.18 or later to resolve the issue.