The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal allows remote attackers to bypass the user registration by administrator only configuration and create an account via a social login.
https://www.drupal.org/node/2511410
https://www.drupal.org/node/2511200