Date: Sun, 18 Jan 2015 15:44:02 -0500 (EST) From: cve-assign@...re.org To: Damien Regad <dregad@...tisbt.org> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE request: CAPTCHA bypass in MantisBT On Sat, 17 Jan 2015, Damien Regad wrote: > Greetings, > > Please assign a CVE ID for the following issue > > > Description: > > An attacker can get an unlimited amount of CAPTCHA "samples" with different > perturbations for the same challenge, which makes the whole captcha utterly > useless and very easy to bypass. > > > Affected versions: > <= 1.2.19 > > Fixed in versions: > 1.2.19 (not yet released) > > Patch: > See Github  > > Credit: > This vulnerability was reported  by Florent Daigniere from Matta > Consulting. > The issue was fixed by Damien Regad (MantisBT Developer). > > References: > Further details available in our issue tracker  > >  https://github.com/mantisbt/mantisbt/commit/39a92726 >  https://www.mantisbt.org/bugs/view.php?id=17984 Use CVE-2014-9624. (Although 17984 apparently was not publicly accessible until 2015, the 39a92726 commit appears to have been uploaded to GitHub on December 29, 2014, and it clearly describes a security issue. Therefore a 2014 ID is used.) --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ