CVE-2019-14883
Description
In Moodle 3.6 and 3.7, tokens for inline email attachments were not disabled after account deactivation, allowing persistent file access if token and path known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Moodle 3.6 and 3.7, tokens for inline email attachments were not disabled after account deactivation, allowing persistent file access if token and path known.
Vulnerability
Details
In Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, tokens used to fetch inline attachments in email notifications were not properly invalidated when a user's account became inactive. [1] This oversight means that even after an account is disabled, the tokens within previously sent email bodies remain valid for retrieving the associated files. [3]
Exploitation
Scenario
To exploit this vulnerability, an attacker would need both the token and the file path. [1] Since the token is embedded in the email notification, a user who still has access to the email (e.g., in their mailbox) can use the token to access the files without being logged into Moodle. The attack does not require authentication to the platform, only possession of the token and knowledge of the server's file structure.
Impact
An attacker who obtains a valid token and file path can retrieve any inline attachment originally sent in email notifications, potentially exposing sensitive user data or course materials. [1] This could lead to unauthorized disclosure of information.
Mitigation
The vulnerability has been patched in Moodle 3.6.7 and 3.7.3. [1] Administrators are advised to upgrade to these versions or later to ensure tokens are revoked upon account deactivation. [3] The Moodle project maintains the fix in the official repository. [2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.6, < 3.6.7 | 3.6.7 |
moodle/moodlePackagist | >= 3.7, < 3.7.3 | 3.7.3 |
Affected products
2- Moodle/Moodledescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-774q-wfcp-vc2qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-14883ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.