漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Captcha Protect: Reflected XSS in challenge page via unsanitized destination rendered with text/template
Vulnerability Description
Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Captcha Protect 跨站脚本漏洞
Vulnerability Description
Captcha Protect是libops开源的一个基于流量检测的验证码防护中间件。 Captcha Protect 1.12.2之前版本存在跨站脚本漏洞,该漏洞源于挑战页面接受客户端提供的目标值并使用Go的text/template将其渲染到HTML中,由于text/template不执行上下文HTML转义,可能导致攻击者提供特制的目标值以突破隐藏输入属性并向挑战页面注入任意脚本。
CVSS Information
N/A
Vulnerability Type
N/A