View online: https://www.drupal.org/sa-contrib-2024-038 Project: Open Social [1] Date: 2024-September-04 Security risk: *Moderately critical* 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Denial of Service Affected versions: <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0 <13.0.0-alpha11 Description:  Open Social is a Drupal distribution for online communities. The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker. Solution:  Install the latest version: * If you use Open Social 12.3.x, upgrade to Open Social 12.3.8 [3] * If you use Open Social 12.4.x, upgrade to Open Social 12.4.5 [4] Reported By:  * vnech [5] Fixed By:  * Ronald te Brake [6] * vnech [7] Coordinated By:  * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * Heine Deelstra [10] of the Drupal Security Team [1] https://www.drupal.org/project/social [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social/releases/12.3.8 [4] https://www.drupal.org/project/social/releases/12.4.5 [5] https://www.drupal.org/user/3545979 [6] https://www.drupal.org/user/2314038 [7] https://www.drupal.org/user/3545979 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/user/17943