Vulnerability Details : CVE-2016-8600
In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.
Products affected by CVE-2016-8600
- cpe:2.3:a:dotcms:dotcms:3.2.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-8600
0.65%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-8600
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-8600
-
Assigned by: nvd@nist.gov (Primary)
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-8600
-
https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html
CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code - Security | Elar LangExploit;Third Party Advisory
-
http://seclists.org/fulldisclosure/2016/Oct/63
Full Disclosure: CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid codeExploit;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/93798
dotCMS CVE-2016-8600 Security Bypass Vulnerability
-
https://github.com/dotCMS/core/issues/9330
Captcha can be programmatically reused by passing session id · Issue #9330 · dotCMS/core · GitHubVendor Advisory
Jump to