Headline
GHSA-hh7j-pg39-q563: toui allows user-specific variables to be shared between users
Impact
Websites that use Website.user_vars property in versions.
Patches
It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1
Workarounds
Do not use Website.user_vars in websites when using versions v2.0.1 to v2.4.0. Also, do not use Website.signin_user() in version v2.4.0 only.
Explanation
ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client’s browser, but it seems that these are stored in the server side.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-33175
toui allows user-specific variables to be shared between users
Affected versions
>= 2.0.1, < 2.4.1
Description
Impact
Websites that use Website.user_vars property in versions.
Patches
It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1
Workarounds
Do not use Website.user_vars in websites when using versions v2.0.1 to v2.4.0. Also, do not use Website.signin_user() in version v2.4.0 only.
Explanation
ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client’s browser, but it seems that these are stored in the server side.
References
- GHSA-hh7j-pg39-q563
- https://github.com/mubarakalmehairbi/ToUI/releases/tag/v2.4.1
Published to the GitHub Advisory Database
May 24, 2023
GHSA ID
GHSA-hh7j-pg39-q563
Source code
Related news
ToUI is a Python package for creating user interfaces (websites and desktop apps) from HTML. ToUI is using Flask-Caching (SimpleCache) to store user variables. Websites that use `Website.user_vars` property. It affects versions 2.0.1 to 2.4.0. This issue has been patched in version 2.4.1.