CVE-2019-14830

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to
3.5.7 and earlier unsupported versions, where the mobile launch endpoint
contained an open redirect in some circumstances, which could result in a
user’s mobile access token being exposed. (Note: This does not affect sites
with a forced URL scheme configured, mobile service disabled, or where the
mobile app login method is “via the app”).