CMS login captcha can be bypassed by deleting cookies 

Issue date: 07-04-2020
Affects versions: 14.0, 13.4, 12.6, 11.2

Issue ID

SECURITY-136

 

Affected Product Version(s)

14.0.0, 13.4.1, 12.6.8 (and previous patch releases)


Severity 

Medium

Description

 

CMS login captcha can be bypassed by deleting cookies.

Steps to reproduce:

  • Try logging into the cms with invalid credentials multiple times, until the captcha appears
  • Delete cookies
  • Captcha goes away, you can keep trying

Instructions

Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.

See also the upgrade instructions.