[Security-news] Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048
security-news at drupal.org
security-news at drupal.org
Wed May 15 17:32:49 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-048
Project: Multiple Registration [1]
Date: 2019-May-15
Security risk: *Critical* 19∕25
AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables you to use special routes for user registration with
special roles and custom field sets defined for the role.
The module doesn't sufficiently check which user roles can be registered
under the scenario when the user tries to register the user with the
administrator role.
This vulnerability is mitigated on sites where account approval is required
as the user starts as blocked but still gets the "Administrator" role.
Solution:
Install the latest version:
* If you use the Multiple registration module for Drupal 8.x, upgrade to
Multiple registration 8.x-2.8 [3]
Reported By:
* iswilson [4]
Fixed By:
* Yaroslav Samoylenko [5]
* iswilson [6]
* Cash Williams [7] of the Drupal Security Team
Coordinated By:
* Cash Williams [8] of the Drupal Security Team
[1] https://www.drupal.org/project/multiple_registration
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/multiple_registration/releases/8.x-2.8
[4] https://www.drupal.org/user/415095
[5] https://www.drupal.org/user/3554629
[6] https://www.drupal.org/user/415095
[7] https://www.drupal.org/user/421070
[8] https://www.drupal.org/user/421070
More information about the Security-news
mailing list