Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038

CVE-2024-13274 is a vulnerability in the Drupal Open Social distribution regarding improper control of interaction frequency on the password reset form. The software failed to enforce flood control limits, enabling an attacker to submit an excessive number of password reset requests without rate limiting [1].

An unauthenticated attacker can exploit this by repeatedly triggering the password reset function, which generates email notifications or server-side processing. This attack does not require any special network position or credentials, as the password reset form is publicly accessible [2].

The primary impact is denial of service (DoS) due to resource exhaustion from flooding the system with reset requests. Crucially, the advisory notes that the reset message does not disclose any information to the attacker, so there is no data leakage [2].

Mitigation involves upgrading to Open Social versions 12.3.8, 12.4.5, or 13.0.0-alpha11 and later, which include the correct flood control validation [2]. The Drupal security team has rated this as moderately critical.