CVE-2017-12157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12157): In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access. CVE-2017-12156 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12156): Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.
Latest unstable ebuilds are not vulnerable as verified with upstream advistory. Not digging through Git logs.