| id: GO-2023-2386 |
| modules: |
| - module: github.com/mojocn/base64Captcha |
| versions: |
| - fixed: 1.3.6 |
| vulnerable_at: 1.3.5 |
| packages: |
| - package: github.com/mojocn/base64Captcha |
| symbols: |
| - memoryStore.Verify |
| summary: Captcha verification bypass in github.com/mojocn/base64Captcha |
| description: |- |
| When using the default implementation of Verify to check a Captcha, verification |
| can be bypassed. |
| |
| For example, if the first parameter is a non-existent id, the second parameter |
| is an empty string, and the third parameter is true, the function will always |
| consider the Captcha to be correct. |
| ghsas: |
| - GHSA-5mmw-p5qv-w3x5 |
| credits: |
| - '@cangkuai' |
| references: |
| - report: https://github.com/mojocn/base64Captcha/issues/120 |
| - fix: https://github.com/mojocn/base64Captcha/commit/9b11012caca58925f1e47c770f79f2fa47e3ad13 |
| - fix: https://github.com/mojocn/base64Captcha/commit/5ab86bd6f333aad3936f912fc52b411168dcd4a7 |
| cve_metadata: |
| id: CVE-2023-45292 |
| cwe: 'CWE-305: Authentication Bypass by Primary Weakness' |
| review_status: REVIEWED |
