In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.

In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.

In Moodle, insufficient capability checks meant message deletions were not limited to the current user.

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.

Insufficient capability checks made it possible for teachers to download users outside of their courses.

A session hijack risk was identified in the Shibboleth authentication plugin.

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.

A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.