Abstract Advisory Information
Author: Dominique Righetto
Version inferior or equals to SecKit 7.x-1.9
Common Vulnerability Scoring System
A new feature named “flood control” is available in version “7.x-1.x-dev” and superior. This feature allows Drupal administrators to define limits on the frequency and length on CSP notification events sent. CERT-XLM also recommends defining a length limit on requests sent to the SecKit endpoint at the infrastructure level (WAF, Web Server, and PHP configuration).
Vulnerability Disclosure Timeline
- 2016-09-02: Security note sent to Drupal Security team about the vulnerability.
- 2016-09-02: Acknowledge from Drupal Security team about the reception of our note and start of technical exchanges with CERT-XLM.
- 2016-09-04: Drupal Security team refuse the creation of a CVE because they do not consider this issue as a security issue.
- 2016-09-05: End of technical exchange with CERT-XLM, let Drupal Security team finalize the “flood control” feature.
- 2016-10-05: Publishing of the Security Advisory.