Research & Development
$ #

CVE-2021-37417

CAPTCHA bypass in login form via EXCLUDE_CAPTCHA parameter

5.3 (Medium)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

ManageEngine ADSelfService Plus

< 6104

Krzysztof Andrusiak and Marcin Ogorzelski

Users can bypass captcha check in login form using EXCLUDE_CAPTCHA parameter, which could lead to brute-force attacks.

  • 17-03-2021 - Vulnerability reported to vendor
  • 18-03-2021 - First response from vendor
  • 08-05-2021 - Fixed version release
  • 30-08-2021 - Public disclosure