Miggo Logo

CVE-2021-25973: Publify `guest` role users can self-register even when the admin does not allow it

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.37378%
Published
11/3/2021
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
publify_corerubygems>= 9.0.0.pre1, < 9.2.59.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Publify's failure to implement backend authorization checks for user registration. The patch introduced a custom RegistrationsController (users/registrations_controller.rb) with a require_signup_allowed before_action to validate this_blog.allow_signup?. Prior to this fix, Publify used Devise's default controller, which lacked this check. The routes.rb configuration (using devise_for :users without overriding the controller) exposed the unprotected registration endpoint, making Devise::RegistrationsController#create the entry point for unauthorized registrations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Pu*li*y, *.*.*.pr** to *.*.* *r* vuln*r**l* to Improp*r ****ss *ontrol. `*u*st` rol* us*rs **n s*l*-r**ist*r *v*n w**n t** **min *o*s not *llow it. T*is **pp*ns *u* to *ront-*n* r*stri*tion only.

Reasoning

T** vuln*r**ility st*mm** *rom Pu*li*y's **ilur* to impl*m*nt ***k*n* *ut*oriz*tion ****ks *or us*r r**istr*tion. T** p*t** intro*u*** * *ustom R**istr*tions*ontroll*r (us*rs/r**istr*tions_*ontroll*r.r*) wit* * `r*quir*_si*nup_*llow**` ***or*_**tion