CWE-804: Guessable CAPTCHA

ID CWE-804

Abstraction Base

Structure Simple

Status Incomplete

Number of CVEs 3

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks.

There can be several different causes of a guessable CAPTCHA:

An audio or visual image that does not have sufficient distortion from the unobfuscated source image.
A question is generated with a format that can be automatically recognized, such as a math question.
A question for which the number of possible answers is limited, such as birth years or favorite sports teams.
A general-knowledge or trivia question for which the answer can be accessed using a data base, such as country capitals or popular entertainers.
Other data associated with the CAPTCHA may provide hints about its contents, such as an image whose filename contains the word that is used in the CAPTCHA.

Modes of Introduction

Phase	Note
Architecture and Design
Implementation

Applicable Platforms

Type	Class	Name	Prevalence
Language	Not Language-Specific
Technology		Web Server

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-863	Incorrect Authorization	Class	Simple	Incomplete
CWE-1000	Research Concepts	Draft	CWE-1390	Weak Authentication	Class	Simple	Incomplete

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date