TSPortal Uncontrolled User Creation Vulnerability Leading to Potential Denial-of-Service

A vulnerability in TSPortal, the WikiTide Foundation's platform for managing trust and safety reports, prior to version 34, allowed attackers to create arbitrary user records in the database by exploiting validation logic. Although the validation correctly rejected invalid usernames, a side effect in the validation process led to the creation of user records regardless of the request's success. This flaw could be used to cause uncontrolled database growth, potentially leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability could result in mass creation of user records, causing unbounded database growth and increased storage and indexing overhead. This could degrade application performance and, at scale, lead to a denial-of-service condition due to resource exhaustion.

Reproduction

To reproduce this vulnerability, submit a Data Processing Agreement (DPA) request using an invalid username. The request will fail validation, but a user record will still be created in the database. This behavior can be automated to exploit the vulnerability at scale.

Remediation

Users can upgrade to TSPortal version 34 or later, where this vulnerability has been fixed.