The vulnerability stems from unescaped HTML in site log event descriptions. Moodle's log table rendering uses column-specific methods like col_{columnname} to display data. The col_description method in the log table class (admin/tool/log/classes/table/log.php) is responsible for outputting event descriptions. Prior to patching, this method likely returned raw data without applying Moodle's output escaping (e.g., s() function or format_text with appropriate options), making it vulnerable to XSS via log entries. The CWE-838 classification confirms this is an output encoding issue, and the patch would have added escaping in this display layer function.