DRUPAL-CONTRIB-2024-015

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/registration_role/DRUPAL-CONTRIB-2024-015.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-015

Aliases

CVE-2024-13251

Published

2024-03-06T17:06:37Z

Modified

2025-12-10T23:41:33.452070Z

Summary

[none]

Details

The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.

The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).

This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.

References

https://www.drupal.org/sa-contrib-2024-015

Credits

- Pamela Barone
- - https://www.drupal.org/user/1431110
- Renaud Joubert
- - https://www.drupal.org/user/549974

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/registration_role

Package

Name: drupal/registration_role
Purl: pkg:composer/drupal/registration_role

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.1

Database specific

{
    "constraint": "<2.0.1"
}

Database specific

affected_versions

"<2.0.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/registration_role/DRUPAL-CONTRIB-2024-015.json"