Software Link: http://dotclear.org Affected Versions: - Version 2.6.2 and probably prior versions. Vulnerability Description: The vulnerability exists because the method not properly verifying the provided password before being used in a call to the method at line 270. This could be exploited to bypass the authentication mechanism by sending an XML-RPC request with a valid username and an empty password. Successful exploitation of this vulnerability requires the XML-RPC interface to be enabled (disabled by default). Solution: Update to version 2.6.3. Disclosure Timeline: - [14/05/2014] - Vendor notified - [15/05/2014] - Vendor response - [16/05/2014] - Version 2.6.3 released: http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3 - [16/05/2014] - CVE number requested - [19/05/2014] - CVE number assigned - [21/05/2014] - Public disclosure CVE Reference: CVE-2014-3781 (http://cve.mitre.org) Credits: Vulnerability discovered by Egidio Romano.