Drupal Security TeamDRUPAL-SA-CONTRIB-2015-155Entity Registration - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-155
0.002 Low
EPSS
Percentile
61.6%
This module enables you to manage registrations for events.
The module doesn’t sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations.
This vulnerability is mitigated by the fact that anonymous users must have the permission “Register other accounts.”
CVE identifier(s) issued
- CVE-2015-7880
Versions affected
- Entity Registration 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Entity Registration module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Entity Registration module for Drupal 7.x, upgrade to Entity Registration 7.x-1.6
Note on releases: the security bug was fixed in the 7.x-1.5 release, however that release included many other bug fixes and features. The 7.x-1.6 release is intended to fix a critical, non-security bug in the 7.x-1.5 release.
Update permissions configuration:
- Remove the “Register other accounts” permission for anonymous users or other unprivileged roles
- If needed, add the “Register Self” permission for anonymous users and other unprivileged roles
Also see the Entity Registration project page.
Reported by
Fixed by
- Gabe Carleton-Barnes, the module maintainer
Coordinated by
- Michael Hess of the Drupal Security Team
- David Snopek of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/registration
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/dsnopek
www.drupal.org/u/mlhess
www.drupal.org/user/1682976
www.drupal.org/user/657902
www.drupal.org/writing-secure-code
Related
