In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.

ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.

The referrer URL used by MFA required additional sanitizing, rather than being used directly.

Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.

Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation.

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.