Details
Critical
Description
Greetings:
System Overview:
CiviCRM 2.2.8 (Upgraded from 2.0.x -> 2.1.x -> 2.2.0 -> 2.2.7 -> 2.2.8)
Drupal 6.13 (Upgraded from Drupal 5)
Issue Synopsis:
When an event is configured to "Register Multiple Participants" and "Allow Multiple Registrations from the Same Email Address" are both enabled, and users explicitly populate the email field for each participant with the same email address during the registration process, only a single contact is created within CiviCRM, and only the data contained on the last participants registration is recorded.
Extended Example:
We have a set of custom data associated with Individual's that we collect during the registration process. If a user explicitly populates the same email address for each user, the First Name, Last Name, and custom data for the last participant with that email address is the only data recorded for the registration. CiviEvent does record a registration for each participant, however, it points back to the same individual's record.
Security Implications:
As a result, an unauthenticated user could overwrite any data fields collected during the registration process of an event for any existing individual simply by supplying the email address of an existing individual record.
Steps to Recreate
- Create an Event with online registration, and Register Multiple Participants" and "Allow Multiple Registrations from the Same Email Address"
- Associate custom profiles.
- Register with "Additional Participants"
- Explicitly provide the same email address in the email address field for both participants.
Result: Only the last participants data is recorded.