Search for packages
| purl | pkg:pypi/flask-appbuilder@4.3.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-23ud-tv73-xka1
Aliases: CVE-2025-32962 GHSA-99pm-ch96-ccp2 |
Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_REDIRECT_HOSTS` configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. As a workaround, use a reverse proxy to enforce trusted host headers. |
Affected by 1 other vulnerability. |
|
VCID-b1ab-mbsc-97ft
Aliases: CVE-2025-58065 GHSA-765j-9r45-w2q2 |
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts. |
Affected by 0 other vulnerabilities. |
|
VCID-m7g1-s5eg-vkc8
Aliases: CVE-2025-24023 GHSA-p8q5-cvwx-wvwp PYSEC-2025-15 |
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3. |
Affected by 2 other vulnerabilities. |
|
VCID-qcqd-7xqt-jkew
Aliases: CVE-2024-25128 GHSA-j2pw-vp55-fqqj |
Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability. |
Affected by 4 other vulnerabilities. |
|
VCID-wrnn-ykhq-gqhg
Aliases: CVE-2024-45314 GHSA-fw5r-6m3x-rh7p |
Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||