Tim Hunt

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 3.8.2 Moodle versions prior to 3.7.5 Moodle versions prior to 3.6.9 Moodle versions prior to 3.5.11 **Description** The issue allows users to view the grade history report without proper restrictions. Specifically, users without the 'access all groups' capability could view grades of users outside their own groups. **Recommendations** For versions prior to 3.8.2, update to version 3.8.2 or later. For versions prior to 3.7.5, update to version 3.7.5 or later. For versions prior to 3.6.9, update to version 3.6.9 or later. For versions prior to 3.5.11, update to version 3.5.11 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.0 through 3.0.3 Moodle versions 2.9 through 2.9.5 Moodle versions 2.8 through 2.8.11 Moodle versions 2.7 through 2.7.13 Moodle versions prior to 2.7 **Description** The issue allows remote authenticated users to read the badges of other users due to a capability check flaw in accessing other badges. **Recommendations** For Moodle versions 3.0 through 3.0.3, update to a version outside of this range to resolve the issue. For Moodle versions 2.9 through 2.9.5, update to a version outside of this range to resolve the issue. For Moodle versions 2.8 through 2.8.11, update to a version outside of this range to resolve the issue. For Moodle versions 2.7 through 2.7.13, update to a version outside of this range to resolve the issue. For Moodle versions prior to 2.7, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.5.10 Moodle versions 2.6.x through 2.6.8 Moodle versions 2.7.x through 2.7.5 Moodle versions 2.8.x through 2.8.3 **Description** A cross-site scripting (XSS) issue exists due to insufficient protection of the web page structure. This allows a remote attacker to inject arbitrary web script or HTML by manipulating input data, potentially leveraging the student role for a crafted quiz response. **Recommendations** For versions prior to 2.5.10, update to version 2.5.10 or later. For versions 2.6.x through 2.6.8, update to version 2.6.9 or later. For versions 2.7.x through 2.7.5, update to version 2.7.6 or later. For versions 2.8.x through 2.8.3, update to version 2.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.3.11 Moodle versions 2.4.x before 2.4.9 Moodle versions 2.5.x before 2.5.5 Moodle versions 2.6.x before 2.6.2 **Description** A cross-site scripting (XSS) issue exists in the quiz question tostring function in mod/quiz/editlib.php, allowing remote authenticated users to inject arbitrary web script or HTML via a quiz question. **Recommendations** For Moodle versions prior to 2.3.11, update to version 2.3.11 or later. For Moodle versions 2.4.x before 2.4.9, update to version 2.4.9 or later. For Moodle versions 2.5.x before 2.5.5, update to version 2.5.5 or later. For Moodle versions 2.6.x before 2.6.2, update to version 2.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.x through 2.1.5 Moodle versions 2.2.x through 2.2.2 **Description** The issue allows remote authenticated users to bypass capability requirements and add arbitrary questions to a quiz via the questions feature. **Recommendations** For Moodle versions 2.1.x through 2.1.5, update to version 2.1.6 or later. For Moodle versions 2.2.x through 2.2.2, update to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.x through 2.1.5 Moodle versions 2.2.x through 2.2.2 **Description** The issue allows remote authenticated users to bypass intended capability requirements and save questions. This is achieved via a `save question` action in the question-bank functionality. **Recommendations** For Moodle versions 2.1.x through 2.1.5, update to version 2.1.6 or later. For Moodle versions 2.2.x through 2.2.2, update to version 2.2.3 or later.