Hi *,

since quite some time a XSS in the "Add a new course" seems to be published / registered via the following CVE:

https://nvd.nist.gov/vuln/detail/CVE-2017-7298

To me it looks like this is matching the "XSS" FAQ available here:

https://docs.moodle.org/30/en/Security_FAQ#I_have_discovered_Cross_Site_Scripting_.28XSS.29_is_possible_with_Moodle

Still it could make sense to clarify your view on this with the researcher:

http://www.daimacn.com/index.php/post/12.html

or mitre:

https://cveform.mitre.org/

to get this CVE corrected / updated. Thanks