CVE-2014-3781

Published: Jun 11, 2014Modified: May 6, 2026

5.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability: 8.6 / Impact: 4.9

Source: NVD

Description

The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.

Affected (4)

Products: Dotclear: Dotclear

Dotclear

1 product

Dotclear

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Dotclear Dotclear	Up to 2.6.2
Dotclear Dotclear	Version 2.6.1
Dotclear Dotclear	Version 2.6
Dotclear Dotclear	Version 2.6 rc

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (10)

http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3

Source: cve@mitre.org

Vendor Advisory

http://karmainsecurity.com/KIS-2014-05

Source: cve@mitre.org

Exploit

http://packetstormsecurity.com/files/126766/Dotclear-2.6.2-Authentication-Bypass.html

Source: cve@mitre.org

Exploit

http://seclists.org/fulldisclosure/2014/May/107

Source: cve@mitre.org

Exploit

http://secunia.com/advisories/58675

Source: cve@mitre.org

http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3