CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24880 – Potential Captcha Validate Bypass in flask-session-captcha
https://notcve.org/view.php?id=CVE-2022-24880
25 Apr 2022 — flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is Fal... • https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4 • CWE-253: Incorrect Check of Function Return Value CWE-394: Unexpected Status Code or Return Value CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42358 – Contact Form With Captcha <= 1.6.2 Cross-Site Request Forgery to Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-42358
29 Nov 2021 — The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the ~/cfwc-form.php file during contact form submission, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.6.2. El plugin Contact Form With Captcha de WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery debido a una falta de comprobación de nonce en el archivo ~/cfwc-form.php durante el envío del formulario de c... • https://plugins.trac.wordpress.org/browser/contact-form-with-captcha/trunk/cfwc-form.php#L17 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24565 – Contact Form 7 Captcha < 0.0.9 - CSRF to Stored XSS
https://notcve.org/view.php?id=CVE-2021-24565
26 Jul 2021 — The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. El plugin Contact Form 7 Captcha WordPress versiones anteriores a 0.0.9, no presenta ninguna comprobación de tipo CSRF cuando guarda su configuración, permitiendo a un atacante hacer a un usuari... • https://plugins.trac.wordpress.org/changeset/2570402 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15514
https://notcve.org/view.php?id=CVE-2020-15514
07 Jul 2020 — The jh_captcha extension through 2.1.3, and 3.x through 3.0.2, for TYPO3 allows XSS. La extensión jh_captcha versiones hasta 2.1.3 y versiones 3.x hasta 3.0.2 para TYPO3, permite un ataque de tipo XSS • https://typo3.org/help/security-advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6250
https://notcve.org/view.php?id=CVE-2015-6250
06 Sep 2017 — simple-php-captcha before commit 9d65a945029c7be7bb6bc893759e74c5636be694 allows remote attackers to automatically generate the captcha response by running the same code on the client-side. simple-php-captcha antes del commit con ID 9d65a945029c7be7bb6bc893759e74c5636be694 permite a atacantes remotos generar automáticamente la respuesta de captcha, ejecutando el mismo código en el lado del cliente. • http://www.openwall.com/lists/oss-security/2015/08/17/7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 2CVE-2014-5190 – SI CAPTCHA Anti-Spam < 2.7.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-5190
07 Aug 2014 — Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/index.php in the SI CAPTCHA Anti-Spam plugin 2.7.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Vulnerabilidad de XSS en captcha-secureimage/test/index.php en el plugin SI CAPTCHA Anti-Spam 2.7.4 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de PATH_INFO. • http://packetstormsecurity.com/files/127723/WordPress-SI-CAPTCHA-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-2943
https://notcve.org/view.php?id=CVE-2012-2943
27 May 2012 — CRLF injection vulnerability in cryptographp.inc.php in Cryptographp allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the cfg parameter. Vulnerabilidad de inyección CRLF en cryptographp.inc.php en Cryptographp permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de división de respuesta HTTP a través del parámetro cfg. • http://packetstormsecurity.org/files/112859/Cryptographp-Local-File-Inclusion-HTTP-Response-Splitting.html •