The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via error message links that lead offsite.
git.moodle.org/gw?p=moodle.git;a=commit;h=8f9f666c902cb30ef6f519353f38c45a29fdf4a6
moodle.org/mod/forum/discuss.php?d=182737
openwall.com/lists/oss-security/2011/11/14/1
github.com/moodle/moodle
github.com/moodle/moodle/commit/18c2fcf8f19e00f0e89421d8fd8b7486a6dc6f79
github.com/moodle/moodle/commit/417fdfab6bbdcfc3f5b64704ec06912ae9cd1050
github.com/moodle/moodle/commit/8f9f666c902cb30ef6f519353f38c45a29fdf4a6
nvd.nist.gov/vuln/detail/CVE-2011-4294