A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. This flaw affects versions 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions.
https://moodle.org/mod/forum/discuss.php?d=451580
Created moodle tracking bugs for this issue: Affects: epel-7 [bug 2244897] Affects: fedora-all [bug 2244896]