A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10891
github.com/moodle/moodle
github.com/moodle/moodle/commit/0b18d0c960c27994dd9870d286f2da3fa5868c06
moodle.org/mod/forum/discuss.php?d=373371
nvd.nist.gov/vuln/detail/CVE-2018-10891
web.archive.org/web/20210124185945/https://www.securityfocus.com/bid/104739