moodle/moodle is vulnerable to information disclosure. The tokens that are used to fetch inline attachments in email notifications are not disabled when the corresponding user account has been deactivated. A user with knowledge of file path and the token would be able to access the files which would otherwise be inaccessible.