CVE-2023-46858

Name of the Vulnerable Software and Affected Versions Moodle version 4.3

Description The issue allows for reflected XSS in the /grade/report/grader/index.php endpoint when the searchvalue parameter is used, and the user is logged in as a teacher. According to the Moodle Security FAQ, teachers can post content that is capable of XSS, but students cannot.

Recommendations For Moodle version 4.3, as a temporary workaround, consider restricting access to the /grade/report/grader/index.php endpoint until a patch is available. Avoid using the searchvalue parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.