CVE-2022-45003: 
vulnerability analysis and mitigation

Gophish through version 0.12.1 contains a Denial of Service (DoS) vulnerability that can be exploited via a crafted payload involving autofocus. The vulnerability was assigned CVE-2022-45003 and affects all versions up to and including 0.12.1 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to the handling of autofocus attributes in the application and can be triggered by submitting a specially crafted payload. The weakness has been classified as CWE-400 (Uncontrolled Resource Consumption) by CISA-ADP (NVD).

When successfully exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) condition, potentially making the Gophish service unavailable to legitimate users. The attack requires no user interaction and can be executed remotely (NVD).

The vulnerability has been addressed in subsequent releases. Users are advised to upgrade their Gophish installations to versions newer than 0.12.1. The upgrade process involves downloading the new release, extracting it to a folder, and copying the existing gophish.db file to the new directory (Github Release).