The patch for this issue is included in the last minor release, as Mike said. Netanel was kind enough not to disclose the exploit scenario until the public announcement, which was done yesterday, a week after the release (as usual).
Very simple search by the issue number in github returns:
Commit in master branch: https://github.com/moodle/moodle/commit/6e65554ea19f4e90c09864081e47424f8efca02e
Commit in 3.2 branch: https://github.com/moodle/moodle/commit/ca3cbbc2334840f94f5e9622699666c10835241d
Commit in 3.1 branch: https://github.com/moodle/moodle/commit/36706f5b983a057f156f87b3de104569b82ddf03
Commit in 3.0 branch: https://github.com/moodle/moodle/commit/0833e7cfc75c88808257d33d1cd5eb3518150eb0
Commit in 2.7 branch: https://github.com/moodle/moodle/commit/b34eca2f9eb10c3d8519c9068fe40863de3f3bf1
As you can see, in 2.7, 3.0 and 3.1 only two web services are affected. They check capabilities 'moodle/user:create' or 'moodle/user:update' that are normally given to managers or users who manage other users in the system. Hopefully they are trusted users. Besides, these two web services are neither accessible by AJAX nor part of Mobile and therefore are not enabled by default. Impact of this security issue on these versions is not very big but it still exists.
For Moodle 3.2 this is a very serious security vulnerability and everybody must upgrade as soon as possible. There is also another serious issue in the same release.
I want to remind everybody that Moodle follows fixed release schedule and security issues are fixed in minor releases that come out on second Monday of January, March, May, July, September and November (odd months). Even if we delay the major releases (second Monday of May and November), the minors still come out on scheduled dates. This allows our users to plan upgrades in advance and maintain their installations secure.