Moodle is vulnerable to open redirect. The attack is due to the lack of filter in the form to upload cohorts, allowing a redirect not limited to internal URLs.
www.securityfocus.com/bid/108921
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10133
github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949
github.com/uclouvain/openjpeg/issues/431
github.com/uclouvain/openjpeg/pull/1168/commits/c58df149900df862806d0e892859b41115875845
lists.debian.org/debian-lts-announce/2019/07/msg00010.html
moodle.org/mod/forum/discuss.php?d=386523