blob: 13aaebaceea7db632f2573daf9224c0c4011315f [file] [log] [blame]
id: GO-2023-2386
modules:
- module: github.com/mojocn/base64Captcha
versions:
- fixed: 1.3.6
vulnerable_at: 1.3.5
packages:
- package: github.com/mojocn/base64Captcha
symbols:
- memoryStore.Verify
summary: Captcha verification bypass in github.com/mojocn/base64Captcha
description: |-
When using the default implementation of Verify to check a Captcha, verification
can be bypassed.
For example, if the first parameter is a non-existent id, the second parameter
is an empty string, and the third parameter is true, the function will always
consider the Captcha to be correct.
ghsas:
- GHSA-5mmw-p5qv-w3x5
credits:
- '@cangkuai'
references:
- report: https://github.com/mojocn/base64Captcha/issues/120
- fix: https://github.com/mojocn/base64Captcha/commit/9b11012caca58925f1e47c770f79f2fa47e3ad13
- fix: https://github.com/mojocn/base64Captcha/commit/5ab86bd6f333aad3936f912fc52b411168dcd4a7
cve_metadata:
id: CVE-2023-45292
cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
review_status: REVIEWED