4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.967 High
EPSS
Percentile
99.7%
This module enables you to make life difficult for certain users, such as trolls, as an alternative to banning or deleting them from a community. The module provides means by which to punish members of your website. The aim of misery is to be not traceable by users on the misery list, so misery actions should be sufficiently subtle so as to avoid suspicion.
The module doesn’t sufficiently warn about issues that can arise if high values are set on the “delay misery” configuration, which is active by default. Users who are made to suffer “delay missery” can make multiple requests to the site and consume all the web serving processes, causing a denial of service.
This vulnerability is mitigated by the fact that an administrator can change these configuration values on a per user basis within the interface. The option can also be turned off.
Drupal core is not affected. If you do not use the contributed Misery module, there is nothing you need to do.
Install the latest version:
And check your misery delay configuration.
Also see the Misery project page.
drupal.org/contact
drupal.org/project/misery
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/36762
drupal.org/user/600158
drupal.org/user/724750
drupal.org/user/972
drupal.org/writing-secure-code
drupal.org/node/2134409
drupal.org/node/2134413