CVE-2022-24880

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.

### Impact flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. The `captcha.validate()` function would return `None` if passed no value (e.g. by submitting a request with an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Sample vulnerable code: ```python if captcha.validate() == False: ... # abort else: ... # do stuff ``` ### Patches A new version (1.2.1) is available that fixes the issue. ### Workarounds Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. ```python if not captcha.validate(): ... # abort else: ... # do stuff ``` ```python if captcha.validate(): ... # do stuff else: ... # abort ``` ### References https://github.com/Tethik/flask-session-captcha/pull/27 ### For more information If you have any questions or comments about this advisory: * Open an issue in [the github repo](https://github.com/Tethik/flask-session-captcha)

flask-session-captcha es un paquete que permite a usuarios ampliar Flask al añadir un captcha basado en una imagen almacenada en una sesión del lado del servidor. En versiones anteriores a 1.2.1, la función "captcha.validate()" devolvía "None" si no le es pasado ningún valor (por ejemplo, al enviar un formulario vacío). Si usuarios implementadores comprobaban que el valor de retorno era **False**, la comprobación del captcha podía omitirse. La versión 1.2.1 corrige el problema. Los usuarios pueden mitigar el problema al no comprobar explícitamente que el valor es False. Comprobar el valor de retorno de forma menos explícita debería seguir funcionando