Improper Restriction of Excessive Authentication Attempts in answerdev/answer
Description
Improper Restriction of Excessive Authentication Attempts in GitHub repository answerdev/answer prior to 1.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-1539 is an improper restriction of excessive authentication attempts in answerdev/answer prior to 1.0.6, allowing brute-force attacks.
CVE-2023-1539 identifies an improper restriction of excessive authentication attempts in the answerdev/answer project before version 1.0.6. The root cause is the lack of a rate-limiting mechanism on the login endpoint, enabling unlimited password guesses. [1]
Attackers can exploit this vulnerability without any prior authentication by repeatedly sending login requests. The attack surface is the login interface, and no special privileges are needed. The absence of captcha invalidation after a single use (as shown in the fix commit [3]) further contributes to the flaw, allowing captcha reuse. [3]
The impact is that an adversary can perform brute-force attacks to guess user credentials, potentially gaining unauthorized access to accounts. This could lead to data theft, account takeover, or further compromise of the platform. [1]
The vulnerability is fixed in version 1.0.6. The fix involves updating the captcha verification logic to delete a captcha after it is used [3], preventing reuse. Users should upgrade to the patched version. [1][2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/answerdev/answerGo | < 1.0.6 | 1.0.6 |
Affected products
2- answerdev/answerdev/answerv5Range: unspecified
Patches
12 files changed · +15 −0
internal/repo/captcha/captcha.go+8 −0 modified@@ -68,3 +68,11 @@ func (cr *captchaRepo) GetCaptcha(ctx context.Context, key string) (captcha stri } return captcha, nil } + +func (cr *captchaRepo) DelCaptcha(ctx context.Context, key string) (err error) { + err = cr.data.Cache.Del(ctx, key) + if err != nil { + log.Debug(err) + } + return nil +}
internal/service/action/captcha_service.go+7 −0 modified@@ -16,6 +16,7 @@ import ( type CaptchaRepo interface { SetCaptcha(ctx context.Context, key, captcha string) (err error) GetCaptcha(ctx context.Context, key string) (captcha string, err error) + DelCaptcha(ctx context.Context, key string) (err error) SetActionType(ctx context.Context, ip, actionType string, amount int) (err error) GetActionType(ctx context.Context, ip, actionType string) (amount int, err error) DelActionType(ctx context.Context, ip, actionType string) (err error) @@ -143,6 +144,12 @@ func (cs *CaptchaService) GenerateCaptcha(ctx context.Context) (key, captchaBase func (cs *CaptchaService) VerifyCaptcha(ctx context.Context, key, captcha string) (isCorrect bool, err error) { realCaptcha, err := cs.captchaRepo.GetCaptcha(ctx, key) if err != nil { + log.Error("VerifyCaptcha GetCaptcha Error", err.Error()) + return false, nil + } + err = cs.captchaRepo.DelCaptcha(ctx, key) + if err != nil { + log.Error("VerifyCaptcha DelCaptcha Error", err.Error()) return false, nil } return strings.TrimSpace(captcha) == realCaptcha, nil
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.