-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 7.1 DXP (7.1.10)
-
Component/s: Application Security > OpenID Connect, Security Vulnerability
-
Business Value:3
-
CVSS Base Score:6.5
-
CVSS Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
In Liferay DXP 7.1 and DXP 7.0, SSO authentication does not respect the setting, "Allow strangers to create accounts?" If SSO authentication is enabled, users who authenticate using Facebook, Google, OpenID, OpenID Connect or OpenSSO can create an account even if strangers are not allowed to create accounts.
Note: For DXP 7.0 OpenID Connect was first released with DXP 7.0 FP79 including the required changes for this issue.