CVE-2025-24023 — Observable Response Discrepancy in Flask-appbuilder
Severity
5.3MEDIUMNVD
CNA3.7
EPSS
0.4%
top 37.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 3
Description
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4