CVE-2019-14883: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in Moodle versions 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. The vulnerability was identified and tracked as CVE-2019-14883. To exploit this vulnerability, a user would need to know both the file path and their token (Moodle Forum, Red Hat Bugzilla).

The vulnerability affects the email notification system in Moodle, specifically the token-based authentication mechanism used for accessing inline attachments. The issue stems from the system's failure to invalidate access tokens when user accounts become inactive. This security flaw was reported by Juan Leyva and was classified as having Minor severity (Moodle Forum).

The impact of this vulnerability is limited as successful exploitation requires specific conditions: an attacker would need to possess both the file path and the corresponding token. Even with these prerequisites, the vulnerability only affects access to email attachment content for inactive user accounts (Moodle Forum).

The vulnerability was addressed in Moodle versions 3.7.3 and 3.6.7. Organizations running affected versions should upgrade to these patched versions or later to mitigate the risk. The fix ensures that access tokens are properly invalidated when user accounts become inactive (Moodle Forum).