Issues » Captcha can be programmatically reused by passing session id

Issue: SI-38
Date: Nov 1, 2016 12:00:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 3.6
Credit: Elar Lang (Clarified Security –

If you use a captcha protected resource like the sendEmailServlet you can pass the same captcha again and again via curl if you use the session id cookie of the original request.



Restrict access to the REST API via permissions, configuration, firewall, or proxy.