CVE-2025-10423
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10423
EUVD
EUVD-2025-29145
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
newbee-mall_project newbee-mall 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-804 The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in newbee-mall involves a guessable CAPTCHA mechanism at the endpoint `/common/mall/kaptcha`. The CAPTCHA is generated once per user session and remains constant until the client explicitly requests a new one. This means an attacker can reuse the same session to repeatedly attempt to solve the CAPTCHA without it changing, allowing them to predict and brute-force the CAPTCHA. This flaw enables bypassing CAPTCHA protections, facilitating automated brute-force password attacks. [1]

Impact Analysis

This vulnerability can lead to a failure of CAPTCHA protections, significantly increasing the risk of automated brute-force attacks on user accounts. Attackers can repeatedly guess passwords without being blocked by CAPTCHA challenges, potentially leading to account takeover and unauthorized access. [1]

Detection Guidance

This vulnerability can be detected by monitoring requests to the endpoint `/common/mall/kaptcha` and checking if the CAPTCHA value remains constant across multiple requests within the same session. You can use tools like curl or wget to repeatedly request the CAPTCHA endpoint with the same session cookie and compare the returned CAPTCHA images or values. For example, using curl: `curl -c cookies.txt http://target/common/mall/kaptcha` to save cookies, then `curl -b cookies.txt http://target/common/mall/kaptcha` multiple times to see if the CAPTCHA changes. If the CAPTCHA does not change, the vulnerability is present. [1]

Mitigation Strategies

The immediate mitigation step is to modify the CAPTCHA implementation so that the CAPTCHA is regenerated on every login attempt rather than only when the `/common/mall/kaptcha` endpoint is accessed. This ensures that each CAPTCHA is unique per attempt and prevents attackers from reusing the same CAPTCHA value within a session. Additionally, monitoring and limiting repeated login attempts from the same session can help reduce the risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart