[Security-news] Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-017

Project: Entity Registration [1]
Date: 2019-February-13
Security risk: *Critical* 18∕25
AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Default [2]
Vulnerability: Multiple Vulnerabilities

Description: 
This module enables you to take registrations for events, gathering
information from registrants including email address and any other questions
you wish to configure.

In some cases, an anonymous user may view, edit, or delete other anonymous
registrations by guessing the URL of that registration based on a simple
pattern.
If anonymous users are allowed to register and:

   * anonymous users have the "View" permission, information included in the
     registration can be accessed.
   * anonymous users have the "Edit" permission, information included in the
     registration can be altered.
   * anonymous users have the "Delete" permission, the registration itself can
     be deleted.

This vulnerability is mitigated by the fact that it only applies to cases
where the anonymous user role has specifically been given View, Edit, or
Delete access to the specific Registration Type.

Solution: 
Install the latest version:

   * If you use the Registration 1.x module for Drupal 7.x, upgrade to
     Registration 7.x-1.7 [3]
   * If you use the Registration 2.x module for Drupal 7.x, upgrade to
     Registration  7.x-2.0-beta3 [4]


Reported By: 
   * gaele  [5]

Fixed By: 
   * Gabriel Carleton-Barnes  [6]

Coordinated By: 
   * Michael Hess  [7]of the Drupal Security Team


[1] https://www.drupal.org/project/registration
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/registration/releases/7.x-1.7
[4] https://www.drupal.org/project/registration/releases/7.x-2.0-beta3
[5] https://www.drupal.org/user/1765
[6] https://www.drupal.org/user/1682976
[7] https://www.drupal.org/u/mlhess