CVE-2022-24880 – Potential Captcha Validate Bypass in flask-session-captcha
https://notcve.org/view.php?id=CVE-2022-24880
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. • https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4 https://github.com/Tethik/flask-session-captcha/pull/27 https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1 https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 • CWE-253: Incorrect Check of Function Return Value CWE-394: Unexpected Status Code or Return Value CWE-754: Improper Check for Unusual or Exceptional Conditions •