Cross-site Request Forgery (CSRF) Affecting flask-wtf package, versions [,0.9.5)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-FLASKWTF-2309917
- published 8 Dec 2021
- disclosed 6 Dec 2021
- credit Unknown
How to fix?
Upgrade flask-wtf
to version 0.9.5 or higher.
Overview
flask-wtf is an integration of Flask and WTForms, including CSRF, file upload, and reCAPTCHA.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) because of missing CSRF tokens on all of the templates excluding Jinja2
.
References
CVSS Scores
version 3.1