Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-21215

When using an event's multiple participant registration form, attackers can see others' registration status based on email address

    Details

    • Type: Security Advisory
    • Status: Open
    • Priority: Important
    • Resolution: Unresolved
    • Affects Version/s: 4.6.29
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Versioning Impact:
      Patch (backwards-compatible bug fixes)
    • Documentation Required?:
      None
    • Funding Source:
      Needs Funding
    • Verified?:
      No

      Description

      If an event is configured to accept multiple participants (and with either multiple registrations per user allowed, or not allowed), any user can start filling out the event registration form with more than a single registrant, and on the second page, they can type the email address of someone they know. When they click the "Continue" button at the bottom of the page, they will get an error message saying that that person is already registered, if the user account associated with that address is already registered. The form need not be fully submitted to perform this attack.

      This creates a leak of information about other people's planned attendance to events. It could potentially be used by a stalker.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              sudoman Andrew Engelbrecht
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: