We found results for “


Date: November 2, 2021


In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow it. This happens due to front-end restriction only.


It is possible for a user to sign up with a “guest” privilege user, by browsing the signup url even after the admin disables a user to self-register themselves.

PoC Details

Login to the application as admin. Go to the “/settings/index” endpoint and disable the feature which allows a user to self register.
In incognito mode, browse to the sign up endpoint, and try to sign up with a user. We see that an external user is still able to create an account even when the feature is disabled by the admin.

Affected Environments

Publify versions 9.0.0.pre1 to 9.2.4


Update to Publify version v9.2.5

Language: Ruby

Good to know:


Improper Authorization


Incorrect Resource Transfer Between Spheres


Incorrect Authorization


Upgrade Version

Upgrade to version publify_core - 9.2.5

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): None
Additional information: