The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.

Students in "Only see own membership" groups could see other students in the group, which should be hidden.

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

The course upload preview contained an XSS risk for users uploading unsafe data.

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

Authenticated users were able to enumerate other users' names via the learning plans page.

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.