CVE-2024-13274 – goalgorilla/open_social

Package

Manager: composer
Name: goalgorilla/open_social
Vulnerable Version: >=0 <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0-alpha1 <13.0.0-alpha11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00042 pctl0.12031

Details

Drupal Open Social allows Functionality Misuse The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.

Metadata

Created: 2025-01-09T21:31:31Z
Modified: 2025-01-14T21:23:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-63wg-87qv-rw4r/GHSA-63wg-87qv-rw4r.json
CWE IDs: ["CWE-799"]
Alternative ID: GHSA-63wg-87qv-rw4r
Finding: F108
Auto approve: 1