Description
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.
Remediation
References
Related Vulnerabilities
PHP Improper Input Validation Vulnerability (CVE-2011-1398)
Apache Tomcat Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2020-13935)
Oracle Database Server Deserialization of Untrusted Data Vulnerability (CVE-2019-16942)
WordPress Plugin File Manager Advanced Shortcode Arbitrary File Upload (2.5.3)