The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. The suggested workaround was to verify the contents and trustworthiness of grade spreadsheets before importing them. This flaw affects versions 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions.
https://moodle.org/mod/forum/discuss.php?d=451582
Created moodle tracking bugs for this issue: Affects: epel-7 [bug 2244900] Affects: fedora-all [bug 2244901]