CVE-2022-24880
low-risk
Published 2022-04-25
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
Do I need to act?
-
0.25% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Flask-Session-Captcha
Affected Vendors
References (8)
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj...
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj...
27
/ 100
low-risk
Severity
21/34 · High
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal