Unenforced Capability
Moodle has unenforced capabilities. The moodle/site:accessallgroups capability isn't enforced for outside-group users in the SEPARATEGROUPS configuration. Leveraging this flaw, authenticated attackers can perform login as actions through a direct request...