Information Disclosure
flask-security-too is vulnerable to information disclosure. The /tf-qrcode endpoint returns the authenticated user's two-factor authentication codes when GET request is submitted. This allows a remote attacker to perform CSRF attacks on a victim to obtain the two-factor authentication codes. The...