moodle/moodle is vulnerable to directory traversal. It does not validate the path used to import a lesson question, allowing an authorized user to cause an arbitrary file read via this feature.
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029
bugzilla.redhat.com/show_bug.cgi?id=2106274
github.com/moodle/moodle/commit/3cafb305ded3bf676a2d2b89fcf5a0c6ea7c6d6d
github.com/moodle/moodle/commit/d585f902fc2bc4f04ac2b097aa9bfde8a71f8fba
lists.fedoraproject.org/archives/list/[email protected]/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/
lists.fedoraproject.org/archives/list/[email protected]/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/
moodle.org/mod/forum/discuss.php?d=436457