[IT-SecNots] [Security-news] Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-048

Project: Multiple Registration [1]
Date: 2019-May-15
Security risk: *Critical* 19∕25
AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables you to use special routes for user registration with
special roles and custom field sets defined for the role.

The module doesn't sufficiently check which user roles can be registered
under the scenario when the user tries to register the user with the
administrator role.

This vulnerability is mitigated on sites where account approval is required
as the user starts as blocked but still gets the "Administrator" role.

Solution: 
Install the latest version:

  * If you use the Multiple registration module for Drupal 8.x, upgrade to
    Multiple registration 8.x-2.8 [3]

Reported By: 
  * iswilson  [4]

Fixed By: 
  * Yaroslav Samoylenko  [5]
  * iswilson  [6]
  * Cash Williams  [7] of the Drupal Security Team

Coordinated By: 
  * Cash Williams  [8] of the Drupal Security Team

[1] https://www.drupal.org/project/multiple_registration
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/multiple_registration/releases/8.x-2.8
[4] https://www.drupal.org/user/415095
[5] https://www.drupal.org/user/3554629
[6] https://www.drupal.org/user/415095
[7] https://www.drupal.org/user/421070
[8] https://www.drupal.org/user/421070

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news