Launchpad.net

CVE 2010-1616

Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.

See the CVE page on Mitre.org for more details.