Miggo Logo
Miggo Vulnerability Database
GHSA-8mgq-6r2q-82w9

GHSA-8mgq-6r2q-82w9: Captcha Bypass in strapi-plugin-ezforms

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-8mgq-6r2q-82w9
EPSS Score
-
CWE
-
Published
8/30/2022
Updated
1/12/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
strapi-plugin-ezformsnpm< 0.1.00.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing return statements in error handling after CAPTCHA validation failures. In the pre-patch version, after checking if verification.valid was false, the controller would log the error but continue processing notifications and database storage. The critical code flow continued even when CAPTCHA validation failed because the error responses (ctx.internalServerError/ctx.badRequest) weren't followed by return statements, allowing attackers to bypass CAPTCHA requirements. The patch added return statements to these error conditions, which properly terminates the request handling process() when CAPTCHA validation fails.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs usin* *ny **pt*** provi**rs ### P*t***s >*.*.* ### R***r*n**s [Issu*](*ttps://*it*u*.*om/*x*l-n*tworks/str*pi-plu*in-*z*orms/issu*s/**)

Reasoning

T** vuln*r**ility st*mm** *rom missin* r*turn st*t*m*nts in *rror **n*lin* **t*r **PT*** v*li**tion **ilur*s. In t** pr*-p*t** v*rsion, **t*r ****kin* i* `v*ri*i**tion.v*li*` w*s **ls*, t** *ontroll*r woul* lo* t** *rror *ut *ontinu* pro**ssin* noti*