View online: https://www.drupal.org/sa-contrib-2020-004 Project: Profile [1] Date: 2020-February-19 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access Bypass Description: The Profile module enables you to allow users to have configurable user profiles. The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users. Solution: Install the latest version: * If you use the Profile module for Drupal 8.x, upgrade to Profile 8.x-1.1 [3] Also see the Profile [4] project page. Reported By: * karl972 [5] Fixed By: * Matt Glaman [6] * Bojan Živanović [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/profile [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/profile/releases/8.x-1.1 [4] https://www.drupal.org/project/profile [5] https://www.drupal.org/user/1541584 [6] https://www.drupal.org/user/2416470 [7] https://www.drupal.org/user/86106 [8] https://www.drupal.org/user/36762