View online: https://www.drupal.org/sa-contrib-2019-017
Project: Entity Registration [1] Date: 2019-February-13 Security risk: *Critical* 18∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Default [2] Vulnerability: Multiple Vulnerabilities
Description: This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure.
In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration based on a simple pattern. If anonymous users are allowed to register and:
* anonymous users have the "View" permission, information included in the registration can be accessed. * anonymous users have the "Edit" permission, information included in the registration can be altered. * anonymous users have the "Delete" permission, the registration itself can be deleted.
This vulnerability is mitigated by the fact that it only applies to cases where the anonymous user role has specifically been given View, Edit, or Delete access to the specific Registration Type.
Solution: Install the latest version:
* If you use the Registration 1.x module for Drupal 7.x, upgrade to Registration 7.x-1.7 [3] * If you use the Registration 2.x module for Drupal 7.x, upgrade to Registration 7.x-2.0-beta3 [4]
Reported By: * gaele [5]
Fixed By: * Gabriel Carleton-Barnes [6]
Coordinated By: * Michael Hess [7]of the Drupal Security Team
[1] https://www.drupal.org/project/registration [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/registration/releases/7.x-1.7 [4] https://www.drupal.org/project/registration/releases/7.x-2.0-beta3 [5] https://www.drupal.org/user/1765 [6] https://www.drupal.org/user/1682976 [7] https://www.drupal.org/u/mlhess