CVE-2021-21241

Description

The Python Flask-Security-Too package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated users authentication token in response to a GET request. Since GET requests arent protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you arent using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to 0 (seconds) which should make the token unusable.

Risk Information

Base Score

7.4

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

EPSS Score

Exploitation Probability

0.421

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2021-21241 are fixed in Python-flask-security-too 3.4.5	Windows
SUSE-SU-2022:3093-1(SUSE Linux Enterprise Module for Basesystem 15-SP3 ) python3-Flask-Security-Too-3.4.2-150200.3.3.1.noarch_15_SP3.rpm	Linux
Vulnerabilities CVE-2021-21241 are fixed in Python-flask-security-too for linux 3.4.5	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234