OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
|Versions affected:||3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions|
|Versions fixed:||3.7.3, 3.6.7 and 3.5.9|
|Reported by:||CeDiS Team|
|Workaround:||Disable login via OAuth 2 providers that may be affected, until the patch is applied.|
|Tracker issue:||MDL-66598 Add additional verification for some OAuth 2 logins to prevent account compromise|