Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CSRF can expose users authentication token in Flask-Security-Too
Vulnerability Description
The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Flask Middleware Flask-security 跨站请求伪造漏洞
Vulnerability Description
Flask Middleware Flask-security是Flask Middleware组织的一个基于Python的可为Flask应用提供安全功能的代码库。 Flask Middleware Flask-security 版本3.3.0 至 3.4.5版本中存在跨站请求伪造漏洞。该漏洞源于在用户可通过GET请求 /login and /change 获得验证Token,使CSRF token的安全性无法保障。
CVSS Information
N/A
Vulnerability Type
N/A