Description
The CAPTCHA module adds challenges to arbitrary forms to block automated submissions and brute-force attacks.
When a submission fails the CAPTCHA, the module sets an error on the CAPTCHA field but does not stop Drupal's other form validators from running and displaying their own error messages. As a result, an attacker who submits an intentionally wrong CAPTCHA can still observe the outcome of the other validators — for example, whether the login form reports an unrecognized username or password — and use that feedback to probe protected fields and enumerate valid values without ever solving a challenge.
This vulnerability is mitigated by the fact that it requires the site to have placed a CAPTCHA on a form that exposes sensitive validation feedback (most notably the login form), and it discloses only the validity of submitted values rather than directly compromising data.
Solution
Install the latest version.
If you use the CAPTCHA module for Drupal 7, upgrade to captcha 7.x-1.8: