Homepage
About Snyk

flask-security-too@3.3.0 vulnerabilities

Quickly add security features to your Flask application.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the flask-security-too package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Open Redirect

Affected versions of this package are vulnerable to Open Redirect via the the /login and /register routes, using the ?next parameter.

Note:

With Werkzeug >=2.1.0 the autocorrect_location_header configuration was changed to False - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if they are using Werkzeug >=2.1.0 as the WSGI layer.

How to fix Open Redirect?

Upgrade Flask-Security-Too to version 5.3.3 or higher.

[,5.3.3)
  • L
Authentication Bypass

Affected versions of this package are vulnerable to Authentication Bypass such that it is possible for a malicious 3rd party to access the QRcode and therefore gain access to two-factor authentication codes.

Note:

The /tf-qrcode endpoint is ONLY accessible while the user is initially setting up their device. Once setup is complete, there is no vulnerability.

How to fix Authentication Bypass?

Upgrade Flask-Security-Too to version 3.4.5 or higher.

[3.2.0,3.4.5)
  • M
Open Redirect

Affected versions of this package are vulnerable to Open Redirect. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path.

This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False`.

How to fix Open Redirect?

Upgrade Flask-Security-Too to version 4.1.0 or higher.

[0,4.1.0)
  • L
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). When a user is setting up two-factor authentication using an authenticator app, a QRcode is generated and made available via a GET request to /tf-qrcode. Since GETs do not have any CSRF protection, it is possible a malicious 3rd party could access the QRcode and therefore gain access to two-factor authentication codes. Note that the /tf-qrcode endpoint is ONLY accessible while the user is initially setting up their device. Once setup is complete, there is no vulnerability.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade Flask-Security-Too to version 3.4.5 or higher.

[3.2.0,3.4.5)
  • H
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade Flask-Security-Too to version 3.4.5 or higher.

[3.3.0,3.4.5)
Go back to all versions of this package