<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><br></div>View online: <a href="https://www.drupal.org/sa-contrib-2024-015" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2024-015</a><br>
<br>
Project: Registration role [1]<br>
Date: 2024-March-06<br>
Security risk: *Critical* 18∕25<br>
AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]<br>
Vulnerability: Access bypass<br>
<br>
Affected versions: <2.0.1<br>
Description: <br>
The Registration role module lets an administrator select a role (or multiple<br>
roles) to automatically assign to new users. The selected role (or roles)<br>
will be assigned to new registrants.<br>
<br>
The module has a logic error when handling sites that upgraded code and did<br>
not run the Drupal update process (e.g. update.php).<br>
<br>
This vulnerability is mitigated by the fact that the problem does not exist<br>
on sites that followed the process of updating code and running the standard<br>
updates.<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * If you use the Registration role module version 2.x, upgrade to<br>
     Registration role 2.0.1 [3]<br>
<br>
Review user accounts registered between 2023 July 11 and now for having<br>
additional roles you did not intend for them to have.  If your site missed or<br>
reverted an update to configuration in the version 2.0.0 release of<br>
Registration Role (or development branch from 2020 August 17 on),<br>
non-selected roles were not removed from configuration. Without this update,<br>
up until you re-saved the settings form or until you install the new release<br>
- whichever came first - users who registered receive /all/ roles.<br>
<br>
Also, upgrade to the latest version /and run update hooks/ at update.php or<br>
with Drush, drush updb<br>
<br>
OR: Immediately re-save the the configuration page at<br>
/admin/people/registration-role<br>
<br>
Reported By: <br>
   * Pamela Barone [4]<br>
   * Renaud Joubert [5]<br>
<br>
Fixed By: <br>
   * Juraj Nemec [6] of the Drupal Security Team<br>
   * Benjamin Melançon [7]<br>
<br>
Coordinated By: <br>
   * Juraj Nemec [8] of the Drupal Security Team<br>
   * Greg Knaddison [9] of the Drupal Security Team<br>
   * Drew Webber [10] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/registration_role" rel="noreferrer" target="_blank">https://www.drupal.org/project/registration_role</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/registration_role/releases/2.0.1" rel="noreferrer" target="_blank">https://www.drupal.org/project/registration_role/releases/2.0.1</a><br>
[4] <a href="https://www.drupal.org/user/1431110" rel="noreferrer" target="_blank">https://www.drupal.org/user/1431110</a><br>
[5] <a href="https://www.drupal.org/user/549974" rel="noreferrer" target="_blank">https://www.drupal.org/user/549974</a><br>
[6] <a href="https://www.drupal.org/user/272316" rel="noreferrer" target="_blank">https://www.drupal.org/user/272316</a><br>
[7] <a href="https://www.drupal.org/user/64383" rel="noreferrer" target="_blank">https://www.drupal.org/user/64383</a><br>
[8] <a href="https://www.drupal.org/user/272316" rel="noreferrer" target="_blank">https://www.drupal.org/user/272316</a><br>
[9] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[10] <a href="https://www.drupal.org/user/255969" rel="noreferrer" target="_blank">https://www.drupal.org/user/255969</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><br class="gmail-Apple-interchange-newline">===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div>