oss-sec mailing list archives
Re: CVE request: CAPTCHA bypass in MantisBT
From: cve-assign () mitre org
Date: Sun, 18 Jan 2015 15:44:02 -0500 (EST)
On Sat, 17 Jan 2015, Damien Regad wrote:
Greetings, Please assign a CVE ID for the following issue Description:An attacker can get an unlimited amount of CAPTCHA "samples" with different perturbations for the same challenge, which makes the whole captcha utterly useless and very easy to bypass.Affected versions: <= 1.2.19 Fixed in versions: 1.2.19 (not yet released) Patch: See Github [1] Credit:This vulnerability was reported [2] by Florent Daigniere from Matta Consulting.The issue was fixed by Damien Regad (MantisBT Developer). References: Further details available in our issue tracker [2] [1] https://github.com/mantisbt/mantisbt/commit/39a92726 [2] https://www.mantisbt.org/bugs/view.php?id=17984
Use CVE-2014-9624. (Although 17984 apparently was not publicly accessible until 2015, the 39a92726 commit appears to have been uploaded to GitHub on December 29, 2014, and it clearly describes a security issue. Therefore a 2014 ID is used.)
--- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- CVE request: CAPTCHA bypass in MantisBT Damien Regad (Jan 16)
- Re: CVE request: CAPTCHA bypass in MantisBT cve-assign (Jan 18)