DRUPAL-CONTRIB-2019-066

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/create_user_permission/DRUPAL-CONTRIB-2019-066.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-066
Published
2019-09-18T15:07:56Z
Modified
2025-12-10T23:33:49.626843Z
Summary
[none]
Details

This module enables you to have a separate permission only for creating users.

The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required".

When this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.

This vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for "Administrators only".

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/create_user_permission

Package

Name
drupal/create_user_permission
Purl
pkg:composer/drupal/create_user_permission

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.0
Database specific 
{
    "constraint": "<1.2.0"
}

Database specific

affected_versions 
"<1.2.0"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/create_user_permission/DRUPAL-CONTRIB-2019-066.json"