Automated testing suites like this do not necessarily detect vulnerabilities, they detect the possibility of something matching a pattern that could indicate a vulnerability. The positive results all need to be manually verified before you can confirm a vulnerability exists. When scanning Moodle, these tools are notoriously innaccurate.
I have reviewed numerous reports of this type in the past (totalling thousands of pages), and do not recall logging a single legitimate security issue from their findings. Though the number of matches seems like a lot, one of the key takeaways in my experience is that they'll match against every repeated instance of a finding, for example many pages using some shared code can result in one false positive being listed as hundreds of matches in the report.
I would suggest reviewing the content carefully, and if you discover any legitimate issues, report them via our security submission form, which you can find at https://moodle.org/security/report/. That way, any findings can be triaged and verified through our Vulnerability Disclosure Program, and any confirmed issues can be addressed. As we do adhere to a Responsible Disclosure Policy (which means we do not release security information until a patch has been released), this is the safest way to report any security findings. Please ensure you do not post any potential issues to this public forum.
I hope that helps!