Description
Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn invite links.
Problem types
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-whc5-fvr7-g5v3 (GitHub Security Advisory (GHSA-whc5-fvr7-g5v3))
www.vulncheck.com/...alidation-in-accept-invitation-endpoint (VulnCheck Advisory: Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint)