View online: https://www.drupal.org/sa-contrib-2019-066

Project: Create user permission [1] Version: 8.x-1.x-dev Date: 2019-September-18 Security risk: *Critical* 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass

Description:  This module enables you to have a separate permission only for creating users.

The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required".

When this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.

This vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for "Administrators only".

Solution:  Install the latest version:

* If you use the create_user_permission module for Drupal 8.x, upgrade to Create user permission 8.x-1.2 [3]

Also see the Create user permission [4] project page.

Reported By:  * jddh [5]

Fixed By:  * Eirik Morland [6]

Coordinated By:  * Michael Hess [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team * Drew Webber [9] of the Drupal Security Team

[1] https://www.drupal.org/project/create_user_permission [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/create_user_permission/releases/8.x-1.2 [4] https://www.drupal.org/project/create_user_permission [5] https://www.drupal.org/user/509004 [6] https://www.drupal.org/user/1014468 [7] https://www.drupal.org/user/102818 [8] https://www.drupal.org/user/36762 [9] https://www.drupal.org/user/255969