CVE-2018-14596

An unauthenticated remote attacker can send requests to the `checkcode` API endpoint with excessively large values for `font_size`, `width`, and `height` parameters. This causes the server to consume significant resources while attempting to generate the verification code image. The delay in response can be observed by monitoring the server's return time, and repeated requests can lead to the application becoming unresponsive or crashing [ref_id=1].

The vulnerability exists in the `checkcode` API endpoint, specifically within the logic that handles the `font_size`, `width`, and `height` parameters. The provided reference points to the `index.php?g=api&m=checkcode&a=index` URL as the vulnerable path [ref_id=1].

The advisory suggests that the server-side should validate the parameters related to the verification code generation, specifically `font_size`, `width`, and `height`. Alternatively, these parameters could be removed from the link or a different verification code mode could be employed. The patch does not show specific code changes, but the recommendation implies that input sanitization or limiting the range of these parameters would mitigate the vulnerability.