Skylar Kelty

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.5.10 Moodle versions 2.6.x before 2.6.7 Moodle versions 2.7.x before 2.7.4 Moodle versions 2.8.x before 2.8.2 **Description** A cross-site scripting (XSS) issue exists due to insufficient protection of the web page structure. This allows remote authenticated users to inject arbitrary web script or HTML via a crafted course summary. The vulnerability can be exploited by a remote attacker to inject malicious code. **Recommendations** For Moodle versions prior to 2.5.10, update to version 2.5.10 or later. For Moodle versions 2.6.x before 2.6.7, update to version 2.6.7 or later. For Moodle versions 2.7.x before 2.7.4, update to version 2.7.4 or later. For Moodle versions 2.8.x before 2.8.2, update to version 2.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.7.x through 2.7.0 **Description** A cross-site scripting issue exists due to improper handling of a crafted username during the logging of an invalid login attempt. This occurs in the get description function in lib/classes/event/user login failed.php. **Recommendations** For Moodle versions 2.7.x through 2.7.0, update to version 2.7.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.7.0 through 2.7.1 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific vectors, including crafted error or success messages for scheduled tasks. **Recommendations** For Moodle versions 2.7.0 through 2.7.1, update to version 2.7.1 or later to resolve the issue.