CVE-2019-14884: 
PHP vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, and 3.5 before 3.5.9. The vulnerability was identified and disclosed on November 18, 2019, affecting the way fatal error messages were handled in the system (Moodle Advisory, NVD).

The vulnerability stems from insufficient sanitization of fatal error messages, which could allow for reflected XSS attacks on certain pages. The issue has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it requires user interaction and can be exploited remotely without authentication (NVD).

If successfully exploited, this vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers when they view certain error messages. This could potentially lead to theft of session cookies, credential theft, or other client-side attacks (NVD).

The vulnerability has been fixed in Moodle versions 3.7.3, 3.6.7, and 3.5.9. Users are advised to upgrade to these or later versions to protect against this vulnerability (Moodle Advisory).