lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966
www.securitytracker.com/id/1031215
github.com/moodle/moodle
github.com/moodle/moodle/commit/0a0145c5e8041aadeff303a9f9984c86706b4e42
github.com/moodle/moodle/commit/293e4bbcb71f0a801c2539ea051c58688314b23a
github.com/moodle/moodle/commit/3c98b7a5ad1bb596a738e550fc3bf966d6415fe0
github.com/moodle/moodle/commit/ac6e453d11024bf6ad99ada1bfc641c6b91ebed6
moodle.org/mod/forum/discuss.php?d=275146
nvd.nist.gov/vuln/detail/CVE-2014-9059
web.archive.org/web/20150914064838/www.securitytracker.com/id/1031215
web.archive.org/web/20200229043651/www.securityfocus.com/bid/71133