Lucene search
K
DpgasparFlask-appbuilder

13 matches found

CVE
CVE
added 2025/03/03 3:25 p.m.306 views

CVE-2025-24023

CVE-2025-24023 affects Flask-AppBuilder prior to 4.5.3, where unauthenticated users can enumerate existing usernames by timing the login request response. This timing discrepancy constitutes a partial information disclosure vulnerability with low to medium impact as described in multiple sources....

5.3CVSS4.1AI score0.00304EPSS
CVE
CVE
added 2024/09/04 4:8 p.m.293 views

CVE-2024-45314

CVE-2024-45314 affects Flask-AppBuilder: the auth DB login form allows the browser to cache sensitive data. Affected component is the login form; root cause is default cache directives exposing data in shared environments. Version 4.5.1 fixes the issue. If upgrading is not possible, a workaround ...

5.5CVSS4.4AI score0.00262EPSS
CVE
CVE
added 2025/05/16 1:51 p.m.175 views

CVE-2025-32962

CVE-2025-32962 affects Flask-AppBuilder before 4.6.2. An unauthenticated attacker can trigger an open redirect by manipulating the HTTP Host header. The root cause is insufficient validation of redirect targets. The advisory notes that Flask-AppBuilder 4.6.2 introduces the FAB_SAFE_REDIRECT_HOSTS...

6.1CVSS4.7AI score0.00191EPSS
CVE
CVE
added 2024/02/28 3:30 p.m.161 views

CVE-2024-25128

Flask-AppBuilder (FAB) is affected when AUTH_TYPE is set to AUTH_OID. The vulnerability allows forging an HTTP request to trick the backend into using an attacker-controlled OpenID service, potentially granting unauthorized privilege access. The issue is exploitable with OpenID 2.0 and is mitigat...

9.1CVSS9AI score0.00857EPSS
CVE
CVE
added 2024/02/28 3:34 p.m.153 views

CVE-2024-27083

CVE-2024-27083 affects Flask-AppBuilder. An XSS on the OAuth login page was introduced in 4.1.4 and fixed in 4.2.1. Impact is on the OAuth login flow where crafted URLs can execute JavaScript in the user’s browser. Affected versions: 4.1.4 through 4.2.0; remediation: upgrade to 4.2.1 or newer. Ex...

6.1CVSS4.3AI score0.00567EPSS
CVE
CVE
added 2023/04/10 8:47 p.m.148 views

CVE-2023-29005

Affected software: Flask-AppBuilder before 4.3.0. Root cause: lack of rate limiting on login allows brute-forcing credentials. Mitigation: upgrade to Flask-AppBuilder 4.3.0 or later; in 4.3.0+, enable rate limiting via AUTH_RATE_LIMITED = True, RATELIMIT_ENABLED = True, and set AUTH_RATE_LIMIT. S...

7.5CVSS7.4AI score0.00629EPSS
CVE
CVE
added 2022/08/01 7:5 p.m.146 views

CVE-2022-31177

CVE-2022-31177 affects Flask-AppBuilder versions prior to 4.1.3. An authenticated Admin could query other users by their salted and hashed password strings using partial hashed password strings. The server would not return full hashes, but an attacker could infer partial password hashes and their...

2.7CVSS3.1AI score0.00616EPSS
CVE
CVE
added 2021/06/07 7:0 p.m.130 views

CVE-2021-29621

The vulnerability is in Flask-AppBuilder (a Flask-based development framework). A user-enumeration flaw exists in the database authentication flow, where an unauthenticated user can infer existing accounts by measuring login response timing. Affected versions are Flask-AppBuilder

5.3CVSS5.2AI score0.03404EPSS
CVE
CVE
added 2025/09/11 5:55 p.m.122 views

CVE-2025-58065

CVE-2025-58065 (Flask-AppBuilder) : Prior to v4.8.1, when using non-database authentication (OAuth/LDAP, etc.), the password reset endpoint remains registered and accessible even if not shown in the UI. This can let an enabled user reset their password and obtain JWTs, potentially bypassing deact...

6.5CVSS6.8AI score0.00376EPSS
CVE
CVE
added 2022/01/31 8:20 p.m.115 views

CVE-2022-21659

CVE-2022-21659 refers to a timing-based user enumeration vulnerability in Flask-AppBuilder (pre-3.4.4). The issue allows an unauthenticated user to infer account existence by measuring login response timing, indicating a partial confidentiality impact. Affected software is Flask-AppBuilder built ...

5.3CVSS5AI score0.00953EPSS
CVE
CVE
added 2022/03/24 7:45 p.m.113 views

CVE-2022-24776

Flask-AppBuilder

6.1CVSS6.1AI score0.00923EPSS
CVE
CVE
added 2021/09/08 5:45 p.m.89 views

CVE-2021-32805

CVE-2021-32805 describes an open redirect in Flask-AppBuilder when using OAuth. Vulnerable in affected Flask-AppBuilder deployments that accept a crafted URL to redirect users to a malicious site. Remediation listed: upgrade Flask-AppBuilder to 3.2.2+ or apply a workaround that filters next param...

7.2CVSS6.2AI score0.007EPSS
CVE
CVE
added 2021/12/09 4:40 p.m.76 views

CVE-2021-41265

CVE-2021-41265 affects Flask-AppBuilder prior to 3.3.4, due to an improper authentication vulnerability in the REST API. The issue allows a malicious actor to authenticate with a crafted request and access protected REST API endpoints, limited to non-database authentication types and new REST API...

8.8CVSS8.5AI score0.0125EPSS