MSA-19-0025: Add additional verification for some OAuth 2 logins to prevent account compromise
|
System information
|
|
|
Affected software |
PHP |
Description
|
by Michael Hawkins. OAuth 2 providers who do not verify users email address changes require additional verification during sign-up to reduce the risk of account compromise.Severity/Risk:SeriousVersions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versionsVersions fixed:3.7.3, 3.6.7 and 3.5.9Reported by:CeDiS TeamWorkaround:Disable login via OAuth 2 providers that may be affected, until the patch is applied.CVE identifier:CVE-2019-14880Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=393583&parent=1586744 |
Standar resources
|
Property |
Value |
CVE |
CVE-2019-14880. |