Impact
The exploit permits injection of arbitrary JavaScript into the captcha challenge page via a client‑supplied destination parameter. Because the plugin uses Go’s text/template without HTML escaping, the input is reflected verbatim, allowing an attacker to execute scripts in the victim’s browser and potentially steal credentials. This is a reflected Cross‑Site Scripting vulnerability (CWE‑79).
Affected Systems
The vulnerability impacts the libops captcha‑protect Traefik middleware in all versions prior to 1.12.2. Any Traefik instance that enables this plugin on subnets experiencing traffic spikes is affected.
Risk and Exploitability
With a CVSS score of 6.1, the issue carries moderate severity, and an EPSS probability of less than 1% indicates low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be a browser‑based reflected XSS triggered when a malicious destination URL is injected into the challenge page, causing the page to execute the crafted script.
OpenCVE Enrichment