Advisory ID: 
SA-CONTRIB-2017-010
Vulnerability: 
Denial of Service
Versions affected: 
  • CAPTCHA 1.x-1.x versions prior to 1.x-1.3.5.

Backdrop core is not affected. If you do not use the contributed CAPTCHA module, there is nothing you need to do.

The Captcha module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments.

The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack.

This vulnerability is mitigated by the fact that Backdrop does not give a session to all visitors, especially when used with advanced caching systems like Varnish.

Solution: 
Reported By: 
Fixed By: 
Coordinated By: