View online: https://www.drupal.org/sa-contrib-2019-048
Project: Multiple Registration [1] Date: 2019-May-15 Security risk: *Critical* 19∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Description: This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.
The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.
This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.
Solution: Install the latest version:
* If you use the Multiple registration module for Drupal 8.x, upgrade to Multiple registration 8.x-2.8 [3]
Reported By: * iswilson [4]
Fixed By: * Yaroslav Samoylenko [5] * iswilson [6] * Cash Williams [7] of the Drupal Security Team
Coordinated By: * Cash Williams [8] of the Drupal Security Team
[1] https://www.drupal.org/project/multiple_registration [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/multiple_registration/releases/8.x-2.8 [4] https://www.drupal.org/user/415095 [5] https://www.drupal.org/user/3554629 [6] https://www.drupal.org/user/415095 [7] https://www.drupal.org/user/421070 [8] https://www.drupal.org/user/421070