GHSA-hh7j-pg39-q563

Source

https://github.com/advisories/GHSA-hh7j-pg39-q563

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hh7j-pg39-q563/GHSA-hh7j-pg39-q563.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hh7j-pg39-q563

Aliases

CVE-2023-33175

Published

2023-05-24T17:38:52Z

Modified

2024-02-16T08:21:03.567415Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

toui allows user-specific variables to be shared between users

Details

Impact

Websites that use Website.user_vars property in versions.

Patches

It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1

Workarounds

Do not use Website.user_vars in websites when using versions v2.0.1 to v2.4.0. Also, do not use Website.signin_user() in version v2.4.0 only.

Explanation

ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client's browser, but it seems that these are stored in the server side.

Database specific

{
    "cwe_ids": [
        "CWE-913",
        "CWE-914"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": "2023-05-30T05:15:11Z",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-24T17:38:52Z"
}

References

Affected packages

PyPI / toui

Package

Name: toui; View open source insights on deps.dev
Purl: pkg:pypi/toui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.1

Fixed

2.4.1

Affected versions

2.*

2.0.1

2.1.0

2.1.1

2.2.0

2.3.0

2.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hh7j-pg39-q563/GHSA-hh7j-pg39-q563.json"