WordPress Ajax BootModal Login 1.4.3 CAPTCHA Issue

2018.09.08
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

About: =========== Component: Ajax BootModal Login (Wordpress plugin) Vulnerable version: 1.4.3 and possibly prior CVE-ID: CVE-2018-15876 Author: - LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre) - Fabien Haureils (https://www.linkedin.com/in/fabien-haureils/) Timeline: =========== - 2018/08/25: Vulnerability found - 2018/08/25: Advisory published on GitHub - 2018/08/25: CVE-ID request - 2018/08/26: Reported to developer on GitHub - 2018/09/01: No response from developer - 2018/09/01: Advisory sent to bugtraq mailing list Description: =========== Register form, login form and password recovery form need CAPTCHA solving to perform actions. However, these CAPTCHAs seem to be valid as long as the user session is valid. One could send as many requests as one wished by automatisation. This allows an attacker to spam large number of mail addresses, and brute-force credentials. References: =========== https://github.com/aas-n/CVE/tree/master/CVE-2018-15876

Referencje:

https://github.com/aas-n/CVE/tree/master/CVE-2018-15876


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top