2 matches found
CVE-2021-23385
CVE-2021-23385 affects Flask-Security across all versions. The get_post_logout_redirect and get_post_login_redirect functions can bypass URL validation, allowing an open redirect to an arbitrary URL when a user supplies multiple backslashes (e.g., \evil.com/path). Exploitation requires either usi...
CVE-2021-32618
CVE-2021-32618 – Open Redirect in Flask-Security-Too . The Flask extension Flask-Security-Too contains logic to validate the URL in the next parameter, attempting to allow only relative URLs or URLs with the same netloc. However, some browsers may transform incomplete URLs (for example next=\gith...