iDS6 DSSPro Digital Signage System CAPTCHA Security Bypass Vulnerability

A CAPTCHA bypass vulnerability has been identified in iDS6 DSSPro Digital Signage System version 6.2. This vulnerability allows attackers to circumvent authentication by requesting the autoLoginVerifyCode object. Exploiting this flaw, attackers can retrieve valid CAPTCHA codes through the login endpoint and use them to launch brute-force attacks against user accounts.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to perform brute-force attacks on user accounts.

Reproduction

To reproduce this vulnerability, first request the autoLoginVerifyCode object from the login endpoint. This will return a valid CAPTCHA code. Next, use this CAPTCHA code to bypass the authentication challenge by sending a request to the userValidate endpoint, including the CAPTCHA code and user credentials. This will successfully authenticate the user and bypass the CAPTCHA verification.