Moodle is vulnerable to unauthorized editing to web pages. It happens because it does not prevent the capability ‘moodle/my:manageblocks’ from authenticated user role, allowing to move HTML blocks containing scripts to other pages visible by other users.