Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

Project: Multiple RegistrationDate: 2019-May-15Security risk: Critical 19∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.
The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.
This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.Solution: Install the latest version:

Reported By: 

Fixed By: 

Coordinated By: 

  • Cash Williams of the Drupal Security Team
  • Path to article https://www.drupal.org/sa-contrib-2019-048