Issues » Captcha can be programmatically reused by passing session id

Issue: SI-38
Date: Nov 1, 2016 12:00:00 AM
Severity: Low
Requires Admin Access: No
Fix Version: 3.6
Credit: Elar Lang (Clarified Security – www.clarifiedsecurity.com)
Description:

If you use a captcha protected resource like the sendEmailServlet you can pass the same captcha again and again via curl if you use the session id cookie of the original request.

CVE-2016-8600

Workaround:

Restrict access to the REST API via permissions, configuration, firewall, or proxy.

Back to the top