CVE-2014-3781

Dotclear < 2.6.2 - Authentication Bypass

Title source: rule

Description

The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.

References (5)

[Vendor Advisory] http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3

[Exploit] http://karmainsecurity.com/KIS-2014-05

[Exploit] http://packetstormsecurity.com/files/126766/Dotclear-2.6.2-Authentication-Bypass.html

[Exploit] http://seclists.org/fulldisclosure/2014/May/107

[Third Party Advisory] http://secunia.com/advisories/58675

Scores

EPSS 0.0045

EPSS Percentile 63.2%

Classification

CWE

CWE-287

Status draft

Affected Products (4)

dotclear/dotclear < 2.6.2

dotclear/dotclear

Timeline

Published Jun 11, 2014

Tracked Since Feb 18, 2026