Lucene search

[email protected]CVE-2014-3781

HistoryJun 11, 2014 - 2:55 p.m.

CVE-2014-3781

2014-06-1114:55:00

CWE-287

[email protected]

web.nvd.nist.gov

dotclear

2.6.3

dcxmlrpc::setuser

authentication bypass

cve-2014-3781

remote attackers

xml-rpc

7.1 High

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.011 Low

EPSS

Percentile

84.0%

JSON

The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.

CPENameOperatorVersion
dotclear:dotcleardotclearle2.6.2
dotclear:dotcleardotcleareq2.6
dotclear:dotcleardotcleareq2.6.1

CPE	Name	Operator	Version
dotclear:dotclear	dotclear	le	2.6.2
dotclear:dotclear	dotclear	eq	2.6
dotclear:dotclear	dotclear	eq	2.6.1

References

dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3

karmainsecurity.com/KIS-2014-05

packetstormsecurity.com/files/126766/Dotclear-2.6.2-Authentication-Bypass.html

seclists.org/fulldisclosure/2014/May/107

secunia.com/advisories/58675

7.1 High

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.011 Low

EPSS

Percentile

84.0%

JSON

Related for CVE-2014-3781

packetstorm1 securityvulns2 prion1 ubuntucve1 openvas1 zdt1