Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-March-06
Vulnerability:
Access bypass
Affected versions:
<2.0.1
CVE IDs:
CVE-2024-13251
Description:
The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.
The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).
This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.
Solution:
Install the latest version:
- If you use the Registration role module version 2.x, upgrade to Registration role 2.0.1
Review user accounts registered between 2023 July 11 and now for having additional roles you did not intend for them to have. If your site missed or reverted an update to configuration in the version 2.0.0 release of Registration Role (or development branch from 2020 August 17 on), non-selected roles were not removed from configuration. Without this update, up until you re-saved the settings form or until you install the new release - whichever came first - users who registered receive all roles.
Also, upgrade to the latest version and run update hooks at update.php or with Drush, drush updb
OR: Immediately re-save the the configuration page at /admin/people/registration-role
Reported By:
Fixed By:
- Juraj Nemec of the Drupal Security Team
- Benjamin Melançon
Coordinated By:
- Juraj Nemec of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Drew Webber of the Drupal Security Team
