Hi James,
thanks for your answer. We are running Moodle 2.9.8.
When I trigger it manually by opening the link in the browser I get a search field in the middle of the page (adaptable theme).
I can hover the search field without getting a popup. Inside the seachbox I can see some plain javascript code (see attachment) but without tags of course. So IMHO it's not interpreted. no vulnerability given here.
hope you'd like to add something.
Best Regards,
Bjarne