Headline
GHSA-fqxj-46wg-9v84: Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)
Impact
A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user’s browser.
Impacted versions: Flask-AppBuilder version 4.1.4 up to and including 4.2.0
Patches
This issue was introduced on 4.1.4 and patched on 4.2.1, user’s should upgrade to 4.2.1 or newer versions.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-27083
Flask-AppBuilder’s OAuth login page subject to Cross Site Scripting (XSS)
Moderate severity GitHub Reviewed Published Feb 28, 2024 in dpgaspar/Flask-AppBuilder • Updated Feb 28, 2024
Package
pip Flask-AppBuilder (pip)
Affected versions
>= 4.1.4, < 4.2.1
Impact
A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user’s browser.
Impacted versions:
Flask-AppBuilder version 4.1.4 up to and including 4.2.0
Patches
This issue was introduced on 4.1.4 and patched on 4.2.1, user’s should upgrade to 4.2.1 or newer versions.
References
- GHSA-fqxj-46wg-9v84
- dpgaspar/Flask-AppBuilder@3d17741
Published to the GitHub Advisory Database
Feb 28, 2024
Last updated
Feb 28, 2024