Captcha Protect
Monthly
Reflected cross-site scripting (XSS) in Captcha Protect versions prior to 1.12.2 allows unauthenticated remote attackers to inject arbitrary script into the anti-bot challenge page by supplying a crafted destination parameter. The vulnerability exploits unsafe use of Go's text/template library, which does not perform contextual HTML escaping, enabling attackers to break out of HTML attributes and execute malicious code in the context of users viewing the challenge page. This affects all Traefik middleware deployments using vulnerable versions of libops/captcha-protect.
Reflected cross-site scripting (XSS) in Captcha Protect versions prior to 1.12.2 allows unauthenticated remote attackers to inject arbitrary script into the anti-bot challenge page by supplying a crafted destination parameter. The vulnerability exploits unsafe use of Go's text/template library, which does not perform contextual HTML escaping, enabling attackers to break out of HTML attributes and execute malicious code in the context of users viewing the challenge page. This affects all Traefik middleware deployments using vulnerable versions of libops/captcha-protect.