Traefik Captcha Protect Middleware Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Captcha Protect middleware for Traefik, in versions prior to 1.12.2. The vulnerability arises because the challenge page renders a client-supplied destination value into HTML using Go's text/template, which does not properly escape HTML context. This flaw allows an attacker to inject arbitrary scripts by crafting a malicious destination value that escapes the hidden input attribute. Exploitation of this vulnerability would execute the injected JavaScript in the context of the application origin.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute scripts in the context of the user's session.

Reproduction

To reproduce this vulnerability, send a request to the challenge page with a crafted destination parameter that includes JavaScript code, such as a script tag with an alert function. The injected script will be executed when the challenge page is rendered.

Remediation

Users are advised to upgrade to version 1.12.2 or later, where this vulnerability has been fixed by changing the template rendering to use html/template, which applies the necessary HTML escaping, and by normalizing and restricting the destination parameter before use.