A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.Referenceshttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10154https://moodle.org/mod/forum/discuss.php?d=386521
