CVE-2019-14880: 
PHP vulnerability analysis and mitigation

A vulnerability was identified in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier, where OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise (NVD, CVE).

The vulnerability is related to OAuth 2 authentication implementation in Moodle. The issue stems from insufficient verification of email address changes during the OAuth 2 sign-up process. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating a critical severity level with potential for high impact on confidentiality and integrity (NVD).

The vulnerability could potentially lead to account compromise in Moodle installations where OAuth 2 authentication is used. The high CVSS score indicates that successful exploitation could result in significant unauthorized access to user accounts and potential manipulation of user information (NVD).

The vulnerability has been fixed in Moodle versions 3.7.3, 3.6.7, and 3.5.9. Organizations running affected versions should upgrade to these patched versions or later to mitigate the risk (Red Hat Bugzilla).