Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

The course upload preview contained an XSS risk for users uploading unsafe data.

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

H5P metadata automatically populated the author with the user's username, which could be sensitive information.

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

Students in "Only see own membership" groups could see other students in the group, which should be hidden.

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.