Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038
Project: Open SocialDate: 2024-September-04Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceAffected versions: <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0 <13.0.0-alpha11Description: Open Social is a Drupal distribution for online communities.
The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.Solution: Install the latest version:
- If you use Open Social 12.3.x, upgrade to Open Social 12.3.8
- If you use Open Social 12.4.x, upgrade to Open Social 12.4.5
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team