flask-security-too@3.0.1 vulnerabilities

Quickly add security features to your Flask application.

latest version

5.5.2
latest non vulnerable version

5.5.2
first published

6 years ago
latest version published

3 months ago
licenses detected
- MIT
  [0,)
View flask-security-too package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the flask-security-too package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Open Redirect Affected versions of this package are vulnerable to Open Redirect via the the `/login` and `/register` routes, using the `?next` parameter. Note: With Werkzeug >=2.1.0 the `autocorrect_location_header` configuration was changed to `False` - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if they are using Werkzeug >=2.1.0 as the WSGI layer. How to fix Open Redirect? Upgrade `Flask-Security-Too` to version 5.3.3 or higher.	[,5.3.3)
M Open Redirect Affected versions of this package are vulnerable to Open Redirect. When using the `get_post_logout_redirect` and `get_post_login_redirect` functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as `\\\evil.com/path`. This vulnerability is only exploitable if an alternative WSGI server other than `Werkzeug` is used, or the default behaviour of `Werkzeug` is modified using 'autocorrect_location_header=False`. How to fix Open Redirect? Upgrade `Flask-Security-Too` to version 4.1.0 or higher.	[0,4.1.0)

Open Redirect

Affected versions of this package are vulnerable to Open Redirect via the the /login and /register routes, using the ?next parameter.

Note:

With Werkzeug >=2.1.0 the autocorrect_location_header configuration was changed to False - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if they are using Werkzeug >=2.1.0 as the WSGI layer.

How to fix Open Redirect?

Upgrade Flask-Security-Too to version 5.3.3 or higher.

[,5.3.3)

Open Redirect

Affected versions of this package are vulnerable to Open Redirect. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path.

This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False`.

How to fix Open Redirect?

Upgrade Flask-Security-Too to version 4.1.0 or higher.

[0,4.1.0)

Go back to all versions of this package

flask-security-too@3.0.1 vulnerabilities

Quickly add security features to your Flask application.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities