====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN268
_____________________________________________________________________

DATE                : 14/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running reCAPTCHA v3 for Drupal versions
                               prior to 8.x-1.2.

=====================================================================
https://www.drupal.org/sa-contrib-2020-019
_____________________________________________________________________

reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019

Project: reCAPTCHA v3
Date: 2020-May-13
Security risk:
Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Access bypass


Description:

The reCaptcha v3 module enables you to protect your forms using the
Google reCaptcha V3.

If the reCaptcha v3 challenge succeeds, all the other form validations
are bypassed. This makes it possible for attackers to submit invalid or
incomplete forms.

This vulnerability only affects forms that are protected by reCaptcha v3
and have server side validation steps (e.g required field or custom
validation functions).


Solution:

Install the latest version:

    If you use the reCAPTCHA v3 module for Drupal 8.x, upgrade to
reCAPTCHA v3 8.x-1.2

Also see the reCAPTCHA v3 project page.


Reported By:

    arnaudvz
    Martijn Vermeulen


Fixed By:

    Denis V*****
    Majid Ali Khan


Coordinated By:

    Greg Knaddison of the Drupal Security Team



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================