In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. This flaw affects versions 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions.
https://moodle.org/mod/forum/discuss.php?d=451591
Created moodle tracking bugs for this issue: Affects: epel-7 [bug 2244921] Affects: fedora-all [bug 2244922]