CVE-2019-14830: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in Moodle versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect vulnerability that could potentially expose a user's mobile access token. This vulnerability was assigned CVE-2019-14830 and was reported by Frederik Schou Schmidt. The issue did not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method was set to 'via the app' (Moodle Forum).

The vulnerability was classified as serious and involved an open redirect in the mobile launch endpoint that could be exploited to expose mobile access tokens. The issue was specifically related to the mobile authentication process and could be triggered under certain circumstances when the proper security configurations were not in place (Moodle Forum).

If successfully exploited, the vulnerability could result in the exposure of user mobile access tokens, potentially compromising user account security and access to the mobile application (Moodle Forum).

Several mitigation options were provided: 1) Configure the 'Forced URL scheme' (forcedurlscheme) option in site administration to either the app's custom URL scheme or 'moodlemobile' for sites using the standard Moodle app, 2) Disable mobile service (enablemobilewebservice), or 3) Change the mobile app login method (typeoflogin) to 'via the app' instead of via SSO plugin. The vulnerability was fixed in versions 3.7.2, 3.6.6, and 3.5.8 (Moodle Forum).