Yuri Zwaig

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 3.9.1 Moodle versions prior to 3.8.4 Moodle versions prior to 3.7.7 Moodle versions prior to 3.5.13 **Description** The issue is related to the yui combo component, which does not limit the amount of files it can load, potentially leading to a denial of service risk. **Recommendations** For versions prior to 3.9.1, update to version 3.9.1 or later. For versions prior to 3.8.4, update to version 3.8.4 or later. For versions prior to 3.7.7, update to version 3.7.7 or later. For versions prior to 3.5.13, update to version 3.5.13 or later.

**Name of the Vulnerable Software and Affected Versions** moodle versions 3.7 through 3.7.2 moodle versions prior to 3.7.3 **Description** A blind XSS issue is present in certain locations where user email is displayed. This allows for reflected XSS attacks. **Recommendations** For moodle versions 3.7 through 3.7.2, update to version 3.7.3 or later. For moodle versions prior to 3.7.3, update to version 3.7.3 or later. As a temporary workaround, consider restricting access to locations where user email is displayed until a patch is available.