Package Instance

Cross-site Scripting
Cross-site scripting (XSS) vulnerability in the `search_pagination` function in `course/classes/management_renderer.php` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted search string.

Information Exposure
The (1) `core_enrol_get_course_enrolment_methods` and (2) `enrol_self_get_instance_info` web services in Moodle do not consider the `moodle/course:viewhiddencourses` capability, which allows remote authenticated users to obtain sensitive information via a web-service request.