Lucene search

[email protected]CVE-2016-8600

HistoryOct 28, 2016 - 3:59 p.m.

CVE-2016-8600

2016-10-2815:59:12

CWE-264

CWE-254

[email protected]

web.nvd.nist.gov

dotcms

3.2.1

captcha

security vulnerability

cve-2016-8600

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

79.3%

JSON

In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.

Affected configurations

NVD

Node

dotcmsdotcmsMatch3.2.1

CPENameOperatorVersion
dotcms:dotcmsdotcmseq3.2.1

CPE	Name	Operator	Version
dotcms:dotcms	dotcms	eq	3.2.1

References

seclists.org/fulldisclosure/2016/Oct/63

www.securityfocus.com/bid/93798

github.com/dotCMS/core/issues/9330

security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

79.3%

JSON

Related for CVE-2016-8600

prion1 nvd1 zdt1 cvelist1