Search for packages
| purl | pkg:pypi/flask-appbuilder@4.0.0rc2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-cefr-t1w9-9yck
Aliases: CVE-2023-34110 GHSA-jhpr-j7cq-3jp3 PYSEC-2023-94 |
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2. |
Affected by 1 other vulnerability. |
|
VCID-cezb-crna-wbgc
Aliases: CVE-2025-24023 GHSA-p8q5-cvwx-wvwp PYSEC-2025-15 |
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3. |
Affected by 0 other vulnerabilities. |
|
VCID-dqzq-crpp-73f7
Aliases: CVE-2022-31177 GHSA-32ff-4g79-vgfc PYSEC-2022-247 |
Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||