Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

Authenticated users were able to enumerate other users' names via the learning plans page.

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

The URL parameters accepted by forum search were not limited to the allowed parameters.

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.