CVE-2023-45292

When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mojocn/base64Captcha/commit/5ab86bd6f333aad3936f912fc52b411168dcd4a7	Patch
https://github.com/mojocn/base64Captcha/commit/9b11012caca58925f1e47c770f79f2fa47e3ad13	Patch
https://github.com/mojocn/base64Captcha/issues/120	Exploit Issue Tracking
https://pkg.go.dev/vuln/GO-2023-2386	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mojotv:base64captcha:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2023-12-11 22:15

Updated : 2023-12-14 16:26

NVD link : CVE-2023-45292

Mitre link : CVE-2023-45292

CVE.ORG link : CVE-2023-45292

JSON object : View

Products Affected

mojotv

base64captcha

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2023-45292", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-12-11T22:15:06.677", "references": [{"url": "https://github.com/mojocn/base64Captcha/commit/5ab86bd6f333aad3936f912fc52b411168dcd4a7", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://github.com/mojocn/base64Captcha/commit/9b11012caca58925f1e47c770f79f2fa47e3ad13", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://github.com/mojocn/base64Captcha/issues/120", "tags": ["Exploit", "Issue Tracking"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2386", "tags": ["Third Party Advisory"], "source": "security@golang.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct."}, {"lang": "es", "value": "Cuando se utiliza la implementaci\u00f3n predeterminada de Verify para verificar un Captcha, se puede omitir la verificaci\u00f3n. Por ejemplo, si el primer par\u00e1metro es una identificaci\u00f3n inexistente, el segundo par\u00e1metro es una cadena vac\u00eda y el tercer par\u00e1metro es verdadero, la funci\u00f3n siempre considerar\u00e1 que el Captcha es correcto."}], "lastModified": "2023-12-14T16:26:54.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mojotv:base64captcha:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "20EF9A8D-B33C-468E-9928-2E80A0C1EA00", "versionEndExcluding": "1.3.6"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}