CVE-2023-45292: 
vulnerability analysis and mitigation

CVE-2023-45292 is a security vulnerability in the base64Captcha library affecting versions prior to 1.3.6. The vulnerability was discovered and disclosed in December 2023. The issue allows attackers to bypass CAPTCHA verification when using the default implementation of the Verify function (Go Vuln DB).

The vulnerability exists in the default implementation of the Verify function used to check CAPTCHAs. The bypass occurs when specific parameters are provided: a non-existent ID as the first parameter, an empty string as the second parameter, and true as the third parameter. Under these conditions, the function incorrectly validates the CAPTCHA as correct. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to bypass CAPTCHA verification mechanisms, potentially circumventing security controls that rely on CAPTCHA validation. This could lead to automated abuse of protected functionalities that were intended to be accessible only to human users (Go Vuln DB).

The vulnerability has been fixed in version 1.3.6 of base64Captcha. The fix includes additional validation checks for empty ID and answer parameters in the Verify method. Users are advised to upgrade to version 1.3.6 or later to address this security issue (Github Commit).