Moodle is vulnerable to cross-site scripting (XSS) attacks. The attacks exist because lib/classes/event/user_login_failed.php does not escape the user-supplied username
before returning it to the description during invalid login-attempt. This allows a malicious user to inject and execute arbitrary code through the username
parameter.