Moodle is vulnerable to bypass reference validation. The function file_save_draft_area_files()
at server side does not check permission of file shortcuts/aliases while uploading/saving a file from a draft file to the server. Therefore, any authenticated users can bypass the intended alias restrictions via the client that omits the check.