x/vulndb: potential Go vuln in github.com/mojocn/base64Captcha: CVE-2023-45292 #2386
Comments
|
Is it because my report is not detailed enough or is it difficult to understand? |
|
Hello, thanks for your report. We are planning create an entry in the Go vulnerability database for this issue. It should be published today or tomorrow. |
tatianab
changed the title
|
Change https://go.dev/cl/548060 mentions this issue: |
|
Thank you very much for getting the CVE number so quickly. |
Aliases: CVE-2023-45292 Updates #2386 Change-Id: I3db92e9e5ca20f2abc7ede0bb52371f577cf70f9 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/548060 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
This vulnerability is fixed in version 1.3.6 |
|
Change https://go.dev/cl/548755 mentions this issue: |
Adds fixed version and commit links provided by reporter. Aliases: CVE-2023-45292 Updates #2386 Change-Id: I8a7d08bd02bdbdfdb161f105a9324301a0e85396 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/548755 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
|
Thanks again for your report. This has been published (including the fix you referenced) as GO-2023-2386 and CVE-2023-45292 |
|
Change https://go.dev/cl/549595 mentions this issue: |
Aliases: CVE-2023-45292, GHSA-5mmw-p5qv-w3x5 Updates #2386 Change-Id: I5d7e7d734d4f32339ff1bc23e078752f4122ab2f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/549595 Run-TryBot: Tim King <taking@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Acknowledgement
Description
This is a Module that generates website Captcha. I found that some special values can bypass Captcha verification.
When using store.Verify() to verify whether the Captcha is correct, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.
Sample code:
Reproduction screenshot
(I blurred my name in the picture above.)
Affected Modules, Packages, Versions and Symbols
Module: github.com/mojocn/base64Captcha Package: github.com/mojocn/base64Captcha Versions: - Introduced: 1.3.5 Symbols: - store.Verify()CVE/GHSA ID
No response
Fix Commit or Pull Request
No response
References
mojocn/base64Captcha#120
Additional information
I contacted the author via email and issue, but after 6 days there was still no feedback from the author.
The text was updated successfully, but these errors were encountered: