Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-49438

CVE-2023-49438

December 26, 2023

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

Affected Packages

Flask-Security-Too (PYTHON):

Affected version(s) >=3.0.1rc1 <5.3.3

Fix Suggestion:

Update to version 5.3.3

Related Resources (8)

https://github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2023-248.yaml

https://github.com/Flask-Middleware/flask-security/commit/8b5abc4d4db9926a3d76b34b8b03255effb5e712

https://github.com/Flask-Middleware/flask-security

https://github.com/brandon-t-elliott/CVE-2023-49438

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM

https://nvd.nist.gov/vuln/detail/CVE-2023-49438

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

EPSS

Base Score:

0.20

Products

Solutions

Resources

Company

Compare

Developer Tools