Issues » Captcha can be programmatically reused by passing session id

Issue: SI-38
Date: Oct 31, 2016, 8:00:00 PM
Severity: Low
Requires Admin Access: No
Fix Version: 3.6
Credit: Elar Lang (Clarified Security – www.clarifiedsecurity.com)
Description:

If you use a captcha protected resource like the sendEmailServlet you can pass the same captcha again and again via curl if you use the session id cookie of the original request.

CVE-2016-8600

Mitigation:

Restrict access to the REST API via permissions, configuration, firewall, or proxy.

Highly Rated and Recommended

We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews