From the Red Hat Bugzilla entries [1, 2, 3]:
A possibility to bypass file upload size constraint was found in the way the webservice script, called from the filepicker front end of Moodle, a course management system, performed sanitization of 'maxbytes' variable. A remote attacker could issue a specially-crafted request that, when processed could allow an attacker to upload a file even if it was larger than specified constraint.
Users with permission to access multiple services were able to use a token
from one service to access another. An attacker could use this flaw,
in an unauthorized way, to access content of an external service.
A security flaw was found in the way Moodle course management system performed permission check on course reset page (the course reset link was protected by a correct permission, but the reset page itself was being checked for a different permission). A remote attacker could use this flaw to in an unauthorized way to reset particular course.