Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066

Project: Create user permissionVersion: 8.x-1.x-devDate: 2019-September-18Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: This module enables you to have a separate permission only for creating users.
The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required".
When this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.
This vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for "Administrators only".Solution: Install the latest version:

Also see the Create user permission project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article