It's possible to register accounts with the same name as permission groups
|Reported by:||Owned by:||Matt Good|
|Cc:||Gunnar Wagenknecht||Trac Release:||0.8|
The documentation suggests you can create permission groups, assign them permissions, and then assign that group as a permission to a user. A malicious attacker can then register a user with the same name as a permission group, thus gaining all the permissions of that group.