CVE-2025-10423
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-09-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10423
EUVD
EUVD-2025-29145
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
newbee-mall_project newbee-mall 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-804 The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in newbee-mall involves a guessable CAPTCHA mechanism at the endpoint `/common/mall/kaptcha`. The CAPTCHA is generated once per user session and remains constant until the client explicitly requests a new one. This means an attacker can reuse the same session to repeatedly attempt to solve the CAPTCHA without it changing, allowing them to predict and brute-force the CAPTCHA. This flaw enables bypassing CAPTCHA protections, facilitating automated brute-force password attacks. [1]


How can this vulnerability impact me? :

This vulnerability can lead to a failure of CAPTCHA protections, significantly increasing the risk of automated brute-force attacks on user accounts. Attackers can repeatedly guess passwords without being blocked by CAPTCHA challenges, potentially leading to account takeover and unauthorized access. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring requests to the endpoint `/common/mall/kaptcha` and checking if the CAPTCHA value remains constant across multiple requests within the same session. You can use tools like curl or wget to repeatedly request the CAPTCHA endpoint with the same session cookie and compare the returned CAPTCHA images or values. For example, using curl: `curl -c cookies.txt http://target/common/mall/kaptcha` to save cookies, then `curl -b cookies.txt http://target/common/mall/kaptcha` multiple times to see if the CAPTCHA changes. If the CAPTCHA does not change, the vulnerability is present. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to modify the CAPTCHA implementation so that the CAPTCHA is regenerated on every login attempt rather than only when the `/common/mall/kaptcha` endpoint is accessed. This ensures that each CAPTCHA is unique per attempt and prevents attackers from reusing the same CAPTCHA value within a session. Additionally, monitoring and limiting repeated login attempts from the same session can help reduce the risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart