A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.

A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.