|Topic:||Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)|
|Versions affected:||1.9.0, 1.9.1|
|Solution:||upgrade to 1.9.2 or any recent nightly or use patch http://cvs.moodle.org/moodle/group/members.php?r1=22.214.171.124&r2=126.96.36.199|
Description:We have discovered that systems running on MSSQL or Oracle databases are vulnerable to non-persistent cross-site scripting (XSS) attack. This vulnerability was caused by incorrect escaping when using database engines which require sybase style quoting (MSSQL and Orcale Only).