This is not the right way to report Moodle security issues. See https://moodle.org/security
(But, from what I have seen so far, your tester has failed to find any real issues. They just don't understand how Moodle works of what it is doing. E.g. the think in the URL is not as session id, it is a CSRF token. The nv_user is not created by Moodle, ...)
(But, from what I have seen so far, your tester has failed to find any real issues. They just don't understand how Moodle works of what it is doing. E.g. the think in the URL is not as session id, it is a CSRF token. The nv_user is not created by Moodle, ...)