CVE 2010-1616
Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.
See the
CVE page on Mitre.org
for more details.