Users' web service tokens could be exposed to other users enrolled in the same course, who have the ability to share HTML content.
Created moodle tracking bugs for this issue: Affects: epel-all [bug 1801598] Affects: fedora-30 [bug 1801597]