Lucene search

GitHub Advisory DatabaseGHSA-5MMW-P5QV-W3X5

HistoryDec 12, 2023 - 12:30 a.m.

Always incorrect control flow in github.com/mojocn/base64Captcha

2023-12-1200:30:17

CWE-345

CWE-670

GitHub Advisory Database

github.com

github

mojocn

base64captcha

security

bypassed verification

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.6%

JSON

When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.

Affected configurations

Vulners

Node

mojotvbase64captchaRange<1.3.6go

CPENameOperatorVersion
github.com/mojocn/base64captchalt1.3.6

CPE	Name	Operator	Version
	github.com/mojocn/base64captcha	lt	1.3.6

References

github.com/advisories/GHSA-5mmw-p5qv-w3x5

github.com/mojocn/base64Captcha/commit/5ab86bd6f333aad3936f912fc52b411168dcd4a7

github.com/mojocn/base64Captcha/commit/9b11012caca58925f1e47c770f79f2fa47e3ad13

github.com/mojocn/base64Captcha/issues/120

nvd.nist.gov/vuln/detail/CVE-2023-45292

pkg.go.dev/vuln/GO-2023-2386

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.6%

JSON

Related for GHSA-5MMW-P5QV-W3X5