GHSA-fqxj-46wg-9v84

Source

https://github.com/advisories/GHSA-fqxj-46wg-9v84

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-fqxj-46wg-9v84/GHSA-fqxj-46wg-9v84.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fqxj-46wg-9v84

Aliases

CVE-2024-27083

Published

2024-02-28T18:37:01Z

Modified

2024-03-01T15:01:04.528176Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)

Details

Impact

A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser.

Impacted versions: Flask-AppBuilder version 4.1.4 up to and including 4.2.0

Patches

This issue was introduced on 4.1.4 and patched on 4.2.1, user's should upgrade to 4.2.1 or newer versions.

References

Affected packages

PyPI / flask-appbuilder

Package

Name: flask-appbuilder; View open source insights on deps.dev
Purl: pkg:pypi/flask-appbuilder

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.4

Fixed

4.2.1

Affected versions

4.*

4.1.4

4.1.5rc1

4.1.5

4.1.6rc1

4.1.6

4.1.7rc1

4.2.0rc1

4.2.0

4.2.1rc1