GHSA-hh7j-pg39-q563

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hh7j-pg39-q563/GHSA-hh7j-pg39-q563.json

Aliases

CVE-2023-33175

Published

2023-05-24T17:38:52Z

Modified

2023-05-30T06:50:27.694308Z

Details

Impact

Websites that use Website.user_vars property in versions.

Patches

It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1

Workarounds

Do not use Website.user_vars in websites when using versions v2.0.1 to v2.4.0. Also, do not use Website.signin_user() in version v2.4.0 only.

Explanation

ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client's browser, but it seems that these are stored in the server side.

References

https://github.com/mubarakalmehairbi/ToUI/security/advisories/GHSA-hh7j-pg39-q563
https://nvd.nist.gov/vuln/detail/CVE-2023-33175
https://github.com/mubarakalmehairbi/ToUI
https://github.com/mubarakalmehairbi/ToUI/releases/tag/v2.4.1

Affected packages

PyPI / toui

toui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.1

Fixed

2.4.1

Affected versions

2.*

2.0.1

2.1.0

2.1.1

2.2.0

2.3.0

2.4.0