Description
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45
Patch, Third Party Advisory x_refsource_misc
https://github.com/Tethik/flask-session-captcha/pull/27
Patch, Third Party Advisory x_refsource_misc
https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1
Scores
CVSS v3
5.3
EPSS
0.0110
EPSS Percentile
61.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-754
CWE-253
CWE-394
Status
published
Products (2)
flask-session-captcha_project/flask-session-captcha
< 1.2.1
pypi/flask-session-captcha
0 - 1.2.1PyPI
Published
Apr 25, 2022
Tracked Since
Feb 18, 2026