The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.
{
"github_reviewed_at": "2025-01-14T21:23:11Z",
"nvd_published_at": "2025-01-09T20:15:36Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-799"
],
"severity": "MODERATE"
}