CVE-2024-27083 — Cross-site Scripting in Flask-appbuilder

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

CNA4.3

EPSS

0.6%

top 29.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dpgaspar Flask-appbuilder

Timeline

Latest updateFeb 28

PublishedFeb 29

Description

Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. This issue was introduced on 4.1.4 and patched on 4.2.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDdpgaspar/flask-appbuilder4.1.4 — 4.2.1

▶PyPIdpgaspar/flask-appbuilder4.1.4 — 4.2.1

▶CVEListV5dpgaspar/flask-appbuilder>= 4.1.4, < 4.2.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)↗2024-02-28

▶

GHSA

Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)↗2024-02-28

▶

OSV

Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)↗2024-02-28

▶