GHSA-hh7j-pg39-q563

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hh7j-pg39-q563/GHSA-hh7j-pg39-q563.json
Aliases
  • CVE-2023-33175
Published
2023-05-24T17:38:52Z
Modified
2023-05-30T06:50:27.694308Z
Details

Impact

Websites that use Website.user_vars property in versions.

Patches

It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1

Workarounds

Do not use Website.user_vars in websites when using versions v2.0.1 to v2.4.0. Also, do not use Website.signin_user() in version v2.4.0 only.

Explanation

ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client's browser, but it seems that these are stored in the server side.

References

Affected packages

PyPI / toui

toui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.1
Fixed
2.4.1

Affected versions

2.*

2.0.1
2.1.0
2.1.1
2.2.0
2.3.0
2.4.0