Quoting Moodle security advisory MSA-08-0008: During internal code review performed by Allegro.pl, some weaknesses were discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses are part of many popular projects, including WordPress, Moodle, Drupal, eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from cross-site scripting to code execution, depending on implementation. [...] There is a new option "Use HTML Purifier" in 1.9, it uses a different whitelisting technique which is considered to be much safer than KSES. Upstream advisory: http://moodle.org/mod/forum/discuss.php?d=95031 Fixed upstream in: 1.8.5, 1.9 Upstream patches (1.8.x CVS branch): http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.12.3&r2=1.3.12.4 http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.99&r2=1.812.2.100 F-9 and Rawhide are already using 1.9. F-8 should probably be updated to 1.8.5 or patches above can be applied.
moodle-1.8.5-1.fc8 has been submitted as an update for Fedora 8
moodle-1.8.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6226