Moodle is vulnerable to cross-site scripting (XSS) attacks. A malicious user can inject and execute arbitrary JavaScript by uploading a zip file through the assignment submission function. This results in text and HTML being rendered during a download all
action.