cbcvebase.
CVE-2008-2020
published 2008-04-30

CVE-2008-2020: The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent…

PriorityP431high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.67%
73.9th percentile
The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and (8) Labgab 1.1 uses a code_bg.jpg background image and the PHP ImageString function in a way that produces an insufficient number of different images, which allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
e107e107
labgablabgab
msrcmicrosoft_net_framework_2.0_service_pack_2
msrcmicrosoft_net_framework_3.0_service_pack_2
msrcmicrosoft_net_framework_3.5
msrcmicrosoft_net_framework_3.5.1
msrcmicrosoft_net_framework_3.5_and_4.6.2_4.7_4.7.1_4.7.2
msrcmicrosoft_net_framework_3.5_and_4.6_4.6.1_4.6.2
msrcmicrosoft_net_framework_3.5_and_4.7.1_4.7.2
msrcmicrosoft_net_framework_3.5_and_4.7.2
msrcmicrosoft_net_framework_3.5_and_4.8
msrcmicrosoft_net_framework_4.5.2
msrcmicrosoft_net_framework_4.6
msrcmicrosoft_net_framework_4.6_4.6.1_4.6.2_4.7_4.7.1_4.7.2
msrcmicrosoft_net_framework_4.8
msrcmicrosoft_sharepoint_enterprise_server_2013_service_pack_1
msrcmicrosoft_sharepoint_enterprise_server_2016
msrcmicrosoft_sharepoint_server_2010_service_pack_2
msrcmicrosoft_sharepoint_server_2019
msrcmicrosoft_visual_studio_2017_version_15.9
msrcnet_core_2.1
msrcnet_core_3.1
my123tkshope-commerce-suite
opendbopendb
phpmybittorrentphpmybittorrent

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc7.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.