CVE-2016-8600 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Dotcms	Dotcms	3.2.1

Related Weaknesses (CWE)

CWE-254 CWE-264

References

http://seclists.org/fulldisclosure/2016/Oct/63ExploitThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/93798
https://github.com/dotCMS/core/issues/9330Vendor Advisory
https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valiExploitThird Party Advisory
http://seclists.org/fulldisclosure/2016/Oct/63ExploitThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/93798
https://github.com/dotCMS/core/issues/9330Vendor Advisory
https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valiExploitThird Party Advisory

FAQ

What is CVE-2016-8600?

CVE-2016-8600 is a vulnerability with a CVSS score of 7.5 (HIGH). In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.

How severe is CVE-2016-8600?

CVE-2016-8600 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-8600?

Check the references section above for vendor advisories and patch information. Affected products include: Dotcms Dotcms.