The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Improper Authentication vulnerabilities in an interactive lesson.
Start learningUpgrade Flask-AppBuilder
to version 4.3.11 or higher.
Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.
Affected versions of this package are vulnerable to Improper Authentication due to incorrect authentication handling when using the AUTH_OID
auth type. An attacker can forge an HTTP request to deceive the backend into using any requested OpenID service, potentially granting unauthorized privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.
Note:
This is only exploitable when the application uses the old OpenID 2.0 authorization protocol, which is considered legacy and has been deprecated for over a decade.
This vulnerability can be mitigated by adding a specific configuration to the application's config. This involves defining a FixedOIDView
and a FixedSecurityManager
class to properly validate OpenID providers.