The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Dotclear | Dotclear | * | 2.6.2 (including) |
Dotclear | Dotclear | 2.6 (including) | 2.6 (including) |
Dotclear | Dotclear | 2.6-rc (including) | 2.6-rc (including) |
Dotclear | Dotclear | 2.6.1 (including) | 2.6.1 (including) |
Dotclear | Ubuntu | precise | * |
Dotclear | Ubuntu | saucy | * |
Dotclear | Ubuntu | trusty | * |
Dotclear | Ubuntu | upstream | * |
Dotclear | Ubuntu | utopic | * |
Dotclear | Ubuntu | vivid | * |
Dotclear | Ubuntu | wily | * |