Knowage CAPTCHA Bypass
Release date: 29/07/2019
Last update: 29/07/2019
Vendor site: https://www.knowage-suite.com/site/home/
Affected version(s): 6.1.1
Remediated version: 6.4
Severity Rating: Low
Impact: Operational disruption
Attack vector: Remote without authentication
Details: The CAPTCHA is insecurely configured in the application. It is possible to bypass the CAPTCHA control by using the same valid CAPTCHA code for each request. This would only require an attacker to manually visit the page first to obtain the valid CAPTCHA code, then it can be automated to submit multiple requests. This could flood the application with numerous fake/spam accounts.
Recommendation: Update to the latest patch.
Discovered by: David Chadwick from Content Security Pty. Ltd.