| Issue: |
|
|---|---|
| Date: |
|
| Severity: | Low |
| Requires Admin Access: | No |
| Fix Version: | 3.6 |
| Credit: | Elar Lang (Clarified Security – www.clarifiedsecurity.com) |
| Description: |
If you use a captcha protected resource like the sendEmailServlet you can pass the same captcha again and again via curl if you use the session id cookie of the original request. CVE-2016-8600 |
| Mitigation: |
Restrict access to the REST API via permissions, configuration, firewall, or proxy. |