In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.

In Moodle 3.x, there is XSS in the assignment submission page.

In Moodle 3.x, glossary search displays entries without checking user permissions to view them.

In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.

In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.

Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342.