CVE-2019-14881: 
PHP vulnerability analysis and mitigation

A vulnerability was found in Moodle 3.7 before version 3.7.3, identified as CVE-2019-14881, where blind XSS (Cross-Site Scripting) was reflected in some locations where user email is displayed. The vulnerability was discovered and reported by Yuri Zwaig, with the disclosure date of March 18, 2020 (Moodle Forum, NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (Medium), vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the email display functionality in Moodle, where user email content was not properly sanitized before being displayed, potentially allowing for blind XSS attacks (NVD).

The vulnerability could allow an attacker to execute malicious scripts in the context of other users' browsers when they view unsanitized email content. This could potentially lead to unauthorized access to user data and compromise of user sessions (NVD).

The vulnerability was fixed in Moodle version 3.7.3. Users should upgrade to this version or later to mitigate the risk. The fix involved implementing additional sanitization for user emails in affected display locations (Moodle Forum).