CAPTCHA bypass in login form via EXCLUDE_CAPTCHA parameter
ManageEngine ADSelfService Plus
Krzysztof Andrusiak and Marcin Ogorzelski
Users can bypass captcha check in login form using EXCLUDE_CAPTCHA parameter, which could lead to brute-force attacks.
- 17-03-2021 - Vulnerability reported to vendor
- 18-03-2021 - First response from vendor
- 08-05-2021 - Fixed version release
- 30-08-2021 - Public disclosure