CWE-804 – Guessable CAPTCHA

Read Time:27 Second

Description

The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-863
CWE-287
CWE-330

 

Consequences

Access Control, Other: Bypass Protection Mechanism, Other

When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.

 

Potential Mitigations

CVE References