moodle is vulnerable to cross-site scripting. The vulnerability exists due to a lack of sanitization of user input to a recursive lambda function rendering to the Mustache template helper renderer allowing an attacker to inject maliciously crafted script into the system.
bugzilla.redhat.com/show_bug.cgi?id=2128146
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68066
github.com/moodle/moodle/commit/013cb2fb644c1d9bc3c4fdac9ed8df56152a7ce6
github.com/moodle/moodle/commit/d98b39a597594f36d8e360a5b32f87acbd233ffc
github.com/moodle/moodle/commit/ec77ff847461bfcfb649676370f23e1db6a40499
github.com/moodle/moodle/commit/fcbb645671d948de1489bebd18d9738c59af2a52
moodle.org/mod/forum/discuss.php?d=438392
tracker.moodle.org/login.jsp?permissionViolation=true&os_destination=%2Fbrowse%2FMDL-68066&page_caps=&user_role=