PT-2022-16953 · Pypi · Flask-Session-Captcha

Guillaume Gomez

Published

2022-04-25

Updated

2022-05-05

CVE-2022-24880

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions flask-session-captcha versions prior to 1.2.1

Description The issue concerns the captcha.validate() function in flask-session-captcha, which returns None if passed no value, such as when submitting an empty form. If users were checking the return value to be False, the captcha verification check could be bypassed.

Recommendations For versions prior to 1.2.1, update to version 1.2.1 to fix the issue. As a temporary workaround, consider not explicitly checking that the return value of captcha.validate() is False. Instead, use less explicit checks, such as if not captcha.validate(): or if captcha.validate():, to verify the captcha.

Exploit

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754CWE-394CWE-253

Related Identifiers

CVE-2022-24880

GHSA-7R87-CJ48-WJ45

PYSEC-2022-193

Affected Products

Flask-Session-Captcha

PT-2022-16953 · Pypi · Flask-Session-Captcha

CVE-2022-24880

Weakness Enumeration

Related Identifiers

Affected Products

References · 13