CVE-2024-13274 – This vulnerability in Drupal Open Social allows... (How to Fix)

Q: What is the severity of CVE-2024-13274?

CVE-2024-13274 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Drupal Open Social allows attackers to abuse functionality by making requests more frequently than intended. It affects all Open Social installations running vulnerable versions, potentially enabling denial of service or resource exhaustion attacks.

📋 TL;DR

This vulnerability in Drupal Open Social allows attackers to abuse functionality by making requests more frequently than intended. It affects all Open Social installations running vulnerable versions, potentially enabling denial of service or resource exhaustion attacks.

💻 Affected Systems

Products:

Drupal Open Social

Versions: 0.0.0 to 12.3.7, 12.4.0 to 12.4.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Open Social installations within affected version ranges are vulnerable by default.

📦 What is this software?

Open Social by Getopensocial

View all CVEs affecting Open Social →

Open Social by Getopensocial

View all CVEs affecting Open Social →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could cause denial of service by overwhelming the application with excessive requests, making it unavailable to legitimate users.

🟠

Likely Case

Resource exhaustion leading to degraded performance or temporary service disruption for targeted users.

🟢

If Mitigated

Minimal impact with proper rate limiting and monitoring in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability involves improper frequency control, which typically requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.3.8 or 12.4.5

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-038

Restart Required: No

Instructions:

1. Update Open Social to version 12.3.8 (for 12.3.x branch) or 12.4.5 (for 12.4.x branch). 2. Clear Drupal caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Implement Rate Limiting

all

Configure web server or application-level rate limiting to restrict request frequency.

# Example nginx rate limiting: limit_req_zone $binary_remote_addr zone=social:10m rate=10r/s;
# Then apply to location: limit_req zone=social burst=20 nodelay;

Enable Drupal Flood Control

all

Configure Drupal's flood control module to limit repeated actions.

# Enable flood control in Drupal settings.php
$settings['flood_limit'] = 10;
$settings['flood_interval'] = 3600;

🧯 If You Can't Patch

Implement strict rate limiting at the network perimeter or web server level.
Monitor for unusual request patterns and implement automated blocking for abusive IPs.

🔍 How to Verify

Check if Vulnerable:

Check Open Social version via Drupal admin interface at /admin/reports/updates or using drush: drush pm-list --type=module | grep social

Check Version:

drush pm-list --type=module --fields=name,version | grep social

Verify Fix Applied:

Confirm Open Social version is 12.3.8 or higher (12.3.x branch) or 12.4.5 or higher (12.4.x branch).

📡 Detection & Monitoring

Log Indicators:

Unusually high request frequency from single IPs
Repeated identical requests in short timeframes
Error logs showing resource exhaustion

Network Indicators:

Spike in HTTP requests to Open Social endpoints
Abnormal traffic patterns from single sources

SIEM Query:

source="web_logs" | stats count by src_ip, uri | where count > 1000 | sort -count

📊 Metadata

CVE ID: CVE-2024-13274

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-799

EPSS Score: 0.1% exploit probability (26.8th percentile)

Published: January 9, 2025

Last Updated: August 25, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-038 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13274, you might also want to check these: