Dpgaspar Flask-Appbuilder vulnerabilities

CVE-2025-58065 [MEDIUM] CWE-287 CVE-2025-58065: Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuil Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password a

CVE-2025-32962 [MEDIUM] CWE-601 CVE-2025-32962: Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4. Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_REDIRECT_HOSTS` configuration variable, which allows administrators to

CVE-2025-24023 [MEDIUM] CWE-204 CVE-2025-24023: Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows un Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

CVE-2024-45314 [MEDIUM] CWE-525 CVE-2024-45314: Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server

CVE-2024-25128 [CRITICAL] CWE-287 CVE-2024-25128: Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuild Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID serv

CVE-2024-27083 [MEDIUM] CWE-79 CVE-2024-27083: Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Script Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the us

CVE-2023-34110 [LOW] CWE-209 CVE-2023-34110: Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4. Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include

CVE-2023-29005 [HIGH] CWE-307 CVE-2023-29005: Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`.

CVE-2022-31177 [LOW] CWE-200 CVE-2022-31177: Flask-AppBuilder is an application development framework built on top of Flask python framework. In Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an att

CVE-2022-24776 [MEDIUM] CWE-601 CVE-2022-24776: Flask-AppBuilder is an application development framework, built on top of the Flask web framework. F Flask-AppBuilder is an application development framework, built on top of the Flask web framework. Flask-AppBuilder contains an open redirect vulnerability when using database authentication login page on versions below 3.4.5. This issue is fixed in version 3.4.5. There are currently no known workarounds.

CVE-2022-21659 [MEDIUM] CWE-203 CVE-2022-21659: Flask-AppBuilder is an application development framework, built on top of the Flask web framework. I Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade

CVE-2021-41265 [HIGH] CWE-287 CVE-2021-41265: Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authent

CVE-2021-32805 [MEDIUM] CWE-601 CVE-2021-32805: Flask-AppBuilder is an application development framework, built on top of Flask. In affected version Flask-AppBuilder is an application development framework, built on top of Flask. In affected versions if using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability. To resolve

CVE-2021-29621 [MEDIUM] CWE-203 CVE-2021-29621: Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database aut Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.