Injection Vulnerability
When a quiz question bank is imported, it is possible for the question preview that is displayed to execute JavaScript that is written into the question bank.
Information Exposure
A flaw was found in Moodle. It is possible for the `core_course_get_categories` web service to return hidden categories, which should be omitted when fetching course categories.