Details
-
Type:
Security Advisory
-
Status: Open
-
Priority:
Important
-
Resolution: Unresolved
-
Affects Version/s: 4.6.29
-
Fix Version/s: None
-
Component/s: None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Needs Funding
-
Verified?:No
Description
If an event is configured to accept multiple participants (and with either multiple registrations per user allowed, or not allowed), any user can start filling out the event registration form with more than a single registrant, and on the second page, they can type the email address of someone they know. When they click the "Continue" button at the bottom of the page, they will get an error message saying that that person is already registered, if the user account associated with that address is already registered. The form need not be fully submitted to perform this attack.
This creates a leak of information about other people's planned attendance to events. It could potentially be used by a stalker.