Advisory ID: 
SA-CONTRIB-2017-010
Vulnerability: 
Denial of Service
Versions affected: 
  • CAPTCHA 1.x-1.x versions prior to 1.x-1.3.5.

Backdrop core is not affected. If you do not use the contributed CAPTCHA module, there is nothing you need to do.

Description: 

The Captcha module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments.

The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack.

This vulnerability is mitigated by the fact that Backdrop does not give a session to all visitors, especially when used with advanced caching systems like Varnish.

Solution: 
Reported By: 
Fixed By: 
Coordinated By: