Hi Steve,
I published all of the CVEs you mentioned and can confirm fixes were released before the CVEs were published (in line with our Responsible Disclosure Policy). If your site is running Moodle 3.11.6, all of those issues are patched, so I suspect your vulnerability scanner is identifying the wrong Moodle version when it fingerprints your site.
I published all of the CVEs you mentioned and can confirm fixes were released before the CVEs were published (in line with our Responsible Disclosure Policy). If your site is running Moodle 3.11.6, all of those issues are patched, so I suspect your vulnerability scanner is identifying the wrong Moodle version when it fingerprints your site.
Another thought - since your 3.11.6 site was built on a fresh server, is it possible that the scanner is somehow finding its way to the 3.8 site and identifying issues there, for example through some hard-coded URL or similar that it can crawl (assuming of course that both sites are running live at the same time)?