The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Dotclear | Dotclear | * | 2.6.2 |
Dotclear | Dotclear | 2.6 | 2.6 |
Dotclear | Dotclear | 2.6.1 | 2.6.1 |
Dotclear | Dotclear | 2.6 | 2.6 |