Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address.
No version tags. Fixed in commit a581b81
The admin user in the vector-admin server can define a list of domains which will prevent anyuser who does not own an email address under those domains from registering to the server. The registration portal itself does not require any other form of authentication except being from a registered domain.
The domain restriction check is being performed via the “includes” function, which only checks if a certain string is present on a supplied input, not if the string is a prefix or suffix.
No PoC is supplied for this issue
No mitigations are supplied for this issue