// For flags

CVE-2008-2020

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and (8) Labgab 1.1 uses a code_bg.jpg background image and the PHP ImageString function in a way that produces an insufficient number of different images, which allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings.

La implementación CAPTCHA como se utiliza en (1) Francisco Burzi PHP-Nuke 7.0 y 8.1, (2) my123tkShop e-Commerce-Suite (también conocido como 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (también conocido como OpenDb) 1.5.0b4, y (8) Labgab 1.1; utiliza una imagen de fondo code_bg.jpg y la función de PHP ImageString de una forma que no produce un número suficiente de imágenes diferentes; esto permite a atacantes remotos pasar el test CAPTCHA mediante un ataque automático utilizando una tabla con todas las sumas de validación (checksum) de imágenes posibles y sus cadenas de dígitos correspondientes.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-04-29 CVE Reserved
  • 2008-04-30 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-10-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-330: Use of Insufficiently Random Values
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
E107
Search vendor "E107"
 E107
Search vendor "E107" for product "E107"
 0.7.11
Search vendor "E107" for product "E107" and version "0.7.11"
-
Affected
Labgab
Search vendor "Labgab"
 Labgab
Search vendor "Labgab" for product "Labgab"
 1.1
Search vendor "Labgab" for product "Labgab" and version "1.1"
-
Affected
My123tkshop
Search vendor "My123tkshop"
 E-commerce-suite
Search vendor "My123tkshop" for product "E-commerce-suite"
 0.9.1
Search vendor "My123tkshop" for product "E-commerce-suite" and version "0.9.1"
-
Affected
Opendb
Search vendor "Opendb"
 Opendb
Search vendor "Opendb" for product "Opendb"
 1.5.0
Search vendor "Opendb" for product "Opendb" and version "1.5.0"
beta4
Affected
Phpmybittorrent
Search vendor "Phpmybittorrent"
 Phpmybittorrent
Search vendor "Phpmybittorrent" for product "Phpmybittorrent"
 1.2.2
Search vendor "Phpmybittorrent" for product "Phpmybittorrent" and version "1.2.2"
-
Affected
Phpnuke
Search vendor "Phpnuke"
 Php-nuke
Search vendor "Phpnuke" for product "Php-nuke"
 7.0
Search vendor "Phpnuke" for product "Php-nuke" and version "7.0"
-
Affected
Phpnuke
Search vendor "Phpnuke"
 Php-nuke
Search vendor "Phpnuke" for product "Php-nuke"
 8.1
Search vendor "Phpnuke" for product "Php-nuke" and version "8.1"
-
Affected
Torrentflux Project
Search vendor "Torrentflux Project"
 Torrentflux
Search vendor "Torrentflux Project" for product "Torrentflux"
 2.3
Search vendor "Torrentflux Project" for product "Torrentflux" and version "2.3"
-
Affected
Webze
Search vendor "Webze"
 Webze
Search vendor "Webze" for product "Webze"
 0.5.9
Search vendor "Webze" for product "Webze" and version "0.5.9"
-
Affected