<p>Upgrade <code>flask-wtf</code> to version 0.9.5 or higher.</p>

Cross-site Request Forgery (CSRF) Affecting flask-wtf package, versions [,0.9.5)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-FLASKWTF-2309917
published 8 Dec 2021
disclosed 6 Dec 2021
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 6 Dec 2021

CWE-352 Open this link in a new tab

How to fix?

Upgrade flask-wtf to version 0.9.5 or higher.

Overview

flask-wtf is an integration of Flask and WTForms, including CSRF, file upload, and reCAPTCHA.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) because of missing CSRF tokens on all of the templates excluding Jinja2.

References

GitHub Commit

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

None

Cross-site Request Forgery (CSRF) Affecting flask-wtf package, versions [,0.9.5)

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 6 Dec 2021

How to fix?

Overview

References

CVSS Scores

Snyk