Tag Name: v3.0.0-beta.20.2
Release Date: 5/5/2020
StrapiOpen-source headless CMS built with Node.js. Provides developers with complete freedom in choosing their favorite tools and frameworks for frontend development.
Strapi v3.0.0-beta.20.2 addresses a critical security vulnerability in the user registration process. This patch prevents users from bypassing email confirmation by restricting the fields allowed during registration, ensuring that accounts cannot be registered as already confirmed.
No migration steps are required for this security update. The fix is automatically applied when updating to v3.0.0-beta.20.2.
Due to the security nature of this release, an immediate upgrade is strongly recommended for all Strapi instances running v3.0.0-beta.20.1 or earlier that have user registration with email confirmation enabled.
To upgrade:
npm install [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Or if using yarn:
yarn upgrade [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
No general bug fixes were included in this release.
No new features were introduced in this release. This is strictly a security patch release.
This release addresses a critical security vulnerability in the user registration process when email confirmation is enabled. Previously, it was possible for users to register an account and set it as already confirmed, effectively bypassing the email confirmation step.
The fix restricts the fields that can be submitted during registration, ensuring that users cannot manipulate their confirmation status during the registration process. This enhancement ensures that the email confirmation workflow functions as intended, requiring users to verify their email address before gaining full access to the system.
Affected Component: users-permissions plugin
PR: #6072
No specific performance improvements were included in this release.
This security release addresses a vulnerability in the users-permissions plugin that could allow users to bypass email confirmation during registration. The impact is significant for any Strapi instance that relies on email confirmation as a security measure or verification step.
By restricting the fields that can be submitted during registration, this patch ensures that users cannot manipulate their confirmation status, maintaining the integrity of your user verification workflow. This is particularly important for sites that provide different levels of access or functionality to confirmed users.
The fix was implemented with minimal changes to the codebase and requires no configuration changes or migrations, making it a straightforward but essential update for all Strapi instances.
When using the user registration feature with email confirmation enabled. It was possible to register a user as already confirmed.
