Moodle is vulnerable to e-mail address disclosure. Moodle grants excessive authorization through the moodle/course:viewhiddenuserfields
. Authenticated users can find student e-mail addresses using a teacher role and looking at the participants list.