Skip to content

Group membership requests lack character limit

Low
nattsw published GHSA-6xff-p329-9pgf Jan 27, 2023

Package

No package listed

Affected versions

stable <= 3.0.0; beta <= 3.0.0.beta16; tests-passed <= 3.0.0.beta16

Patched versions

stable > 3.0.0; beta > 3.0.0.beta16; tests-passed > 3.0.0.beta16

Description

Impact

Currently, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to flood the database with a large amount of data. However it is unlikely this could be used as part of a DoS attack, as the paths reading back the reasons are only available to administrators.

Patches

In the patched versions, a limit of 280 characters has been introduced for membership requests.

Severity

Low
3.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CVE ID

CVE-2023-23616

Weaknesses

No CWEs