CVE-2021-44937: glFusion CMS 1.7.9 Arbitrary user registration vulnerability · Issue #485 · glFusion/glfusion

That’s true, but I’m not sure now much of a problem it is. If the malicious user uses a valid email address, the activation email will be sent to the real email account holder. If the submission queue is used, the email is sent upon approval. If the user submission is rejected, the record is deleted and available for re-registration. I suppose it wouldn’t hurt to send an email to the new user even if queued, saying “your account is pending approval”

…

On Wed, Dec 8, 2021 at 10:18 PM Topsec_bunney ***@***.***> wrote: **There is a logical problem with the user registration page After clicking the register button, the user does not need to confirm the email. The system directly saves the submitted content in the database. This leads to a problem. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.** [image: firefox_0LibhucPYT] https://user-images.githubusercontent.com/73220685/145344346-91dbbce9-01c4-4fad-8a78-b070c9959766.png\ — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#485>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYLFOKDJWVDPQVG2YPTBB3UQBCZ5ANCNFSM5JVTDREQ\ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\ or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\.