A flaw was found in moodle. The ID number user profile field requires additional sanitizing to prevent a stored XSS risk.
Disable the ID number field by unchecking it in Site admin > Users > User policies > Show user identity, until the patch has been applied.