Flask session does not add `Vary: Cookie` header when accessed in some ways

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The...

EUVD-2017-8887

Malware in sbrugna...

TencentOS Server 4: python-flask (TSSA-2025:0162)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0162 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

CVE-2025-48947

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for...

CVE-2025-48947 NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for...

CVE-2025-48947 NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for...

PT-2025-23857 · Auth0 · Auth0 Next.Js Sdk

Name of the Vulnerable Software and Affected Versions: Auth0 Next.js SDK versions 4.0.1 through 4.6.0 Description: The issue concerns the caching of session cookies set by auth0.middleware in CDN environments due to missing Cache-Control headers. Three preconditions must be met for the...

CVE-2017-17735

CMS Made Simple CMSMS before 2.2.5 does not properly cache login information in cookies...

OESA-2023-1936 python-flask security update

Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks...

Amazon Linux 2023 : python3-flask (ALAS2023-2023-183)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-183 advisory. Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy t...

AZL-43798 CVE-2023-30861 affecting package python-flask 1.1.1-4

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session...

CVE-2023-30861 Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session...

PT-2023-2566 · Pypi +6 · Flask +6

Name of the Vulnerable Software and Affected Versions: Flask versions prior to 2.3.2 Flask versions prior to 2.2.5 Description: The issue arises when a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches...

CMS Made Simple has an unspecified vulnerability (CNVD-2017-37769)

CMS Made Simple CMSMS is an open source content management system CMS developed by the CMSMS team. The system supports role-based rights management system , wizard-based installation and update mechanism , intelligent caching mechanism and so on. A security vulnerability exists in CMS Made Simple...

CVE-2017-17735

CMS Made Simple CMSMS before 2.2.5 does not properly cache login information in cookies...

CVE-2017-17735

CMS Made Simple (CMSMS) versions before 2.2.5 have a vulnerability where login information is not properly cached in cookies. Root cause: improper handling of login data in cookies. Impact is described by CVSS as high for confidentiality and integrity, but the connected documents do not spell out...

MGASA-2013-0368 Updated mediawiki packages fix security vulnerabilities

Updated mediawiki packages fix security vulnerabilities: Kevin Israel Wikipedia user PleaseStand identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist CVE-2013-4567, CVE-2013-4568. Internal review while debugging a site issue discovered that...