An SQL injection risk was identified in the module list filter within course search.

Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.

Insufficient capability checks made it possible to disable badges a user does not have permission to access.

The question bank filter required additional sanitizing to prevent a reflected XSS risk.

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.

Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

A vulnerability was found in moodle-block_sitenews 1.0. It has been classified as problematic. This affects the function get_content of the file block_sitenews.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 1.1 is able to address this issue. The name of the patch is cd18d8b1afe464ae6626832496f4e070bac4c58f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216879.