Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017
  • Date: Wed, 13 Feb 2019 19:47:10 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-017

Project: Entity Registration [1]
Date: 2019-February-13
Security risk: *Critical* 18∕25
AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Default [2]
Vulnerability: Multiple Vulnerabilities

Description: 
This module enables you to take registrations for events, gathering
information from registrants including email address and any other questions
you wish to configure.

In some cases, an anonymous user may view, edit, or delete other anonymous
registrations by guessing the URL of that registration based on a simple
pattern.
If anonymous users are allowed to register and:

* anonymous users have the "View" permission, information included in the
registration can be accessed.
* anonymous users have the "Edit" permission, information included in the
registration can be altered.
* anonymous users have the "Delete" permission, the registration itself can
be deleted.

This vulnerability is mitigated by the fact that it only applies to cases
where the anonymous user role has specifically been given View, Edit, or
Delete access to the specific Registration Type.

Solution: 
Install the latest version:

* If you use the Registration 1.x module for Drupal 7.x, upgrade to
Registration 7.x-1.7 [3]
* If you use the Registration 2.x module for Drupal 7.x, upgrade to
Registration 7.x-2.0-beta3 [4]


Reported By: 
* gaele [5]

Fixed By: 
* Gabriel Carleton-Barnes [6]

Coordinated By: 
* Michael Hess [7]of the Drupal Security Team


[1] https://www.drupal.org/project/registration
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/registration/releases/7.x-1.7
[4] https://www.drupal.org/project/registration/releases/7.x-2.0-beta3
[5] https://www.drupal.org/user/1765
[6] https://www.drupal.org/user/1682976
[7] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017, security-news, 13.02.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang