by adidionxlm

Abstract Advisory Information

A security issue affecting the Drupal security module named SecKit (https://www.drupal.org/project/seckit) was found.

Author: Dominique Righetto

Version affected

Version inferior or equals to SecKit 7.x-1.9

Common Vulnerability Scoring System



A new feature named “flood control” is available in version “7.x-1.x-dev” and superior. This feature allows Drupal administrators to define limits on the frequency and length on CSP notification events sent. CERT-XLM also recommends defining a length limit on requests sent to the SecKit endpoint at the infrastructure level (WAF, Web Server, and PHP configuration).

Vulnerability Disclosure Timeline

  • 2016-09-02: Security note sent to Drupal Security team about the vulnerability.
  • 2016-09-02: Acknowledge from Drupal Security team about the reception of our note and start of technical exchanges with CERT-XLM.
  • 2016-09-04: Drupal Security team refuse the creation of a CVE because they do not consider this issue as a security issue.
  • 2016-09-05: End of technical exchange with CERT-XLM, let Drupal Security team finalize the “flood control” feature.
  • 2016-10-05: Publishing of the Security Advisory.