Issues » Captcha can be programmatically reused by passing session id

Issue: SI-38
Date: Oct 31, 2016, 8:00:00 PM
Severity: Low
Requires Admin Access: No
Fix Version: 3.6
Credit: Elar Lang (Clarified Security –

If you use a captcha protected resource like the sendEmailServlet you can pass the same captcha again and again via curl if you use the session id cookie of the original request.



Restrict access to the REST API via permissions, configuration, firewall, or proxy.