Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/flask-security-too@3.2.0
Typepypi
Namespace
Nameflask-security-too
Version3.2.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.3.3
Latest_non_vulnerable_version5.8.1
Affected_by_vulnerabilities
0
url VCID-2ru3-9p5p-efep
vulnerability_id VCID-2ru3-9p5p-efep
summary 
CSRF Vuln can expose user's QRcode
### Impact
When a user is setting up two-factor authentication using an authenticator app, a QRcode is generated and made available via a GET request to /tf-qrcode. Since GETs do not have any CSRF protection, it is possible a malicious 3rd party could access the QRcode and therefore gain access to two-factor authentication codes. Note that the /tf-qrcode endpoint is ONLY accessible while the user is initially setting up their device. Once setup is complete, there is no vulnerability.

### Patches
This is fixed in the upcoming 4.0.0 release.

### Workarounds
You can provide your own URL for fetching the QRcode by defining SECURITY_TWO_FACTOR_QRCODE_URL and providing your own implementation (that presumably required a POST with CSRF protection). This would require changing the two-factor setup template as well.

### References
None.

### For more information
If you have any questions or comments about this advisory:
* Read this pull request: #423
references
0
reference_url https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-fxq4-r6mr-9x64
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-fxq4-r6mr-9x64
1
reference_url https://pypi.org/project/Flask-Security-Too
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://pypi.org/project/Flask-Security-Too
2
reference_url https://github.com/advisories/GHSA-fxq4-r6mr-9x64
reference_id GHSA-fxq4-r6mr-9x64
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fxq4-r6mr-9x64
fixed_packages
0
url pkg:pypi/flask-security-too@3.4.5
purl pkg:pypi/flask-security-too@3.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5k8g-v79c-zkcc
1
vulnerability VCID-tze5-wkqj-8fdh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-security-too@3.4.5
aliases GHSA-fxq4-r6mr-9x64
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2ru3-9p5p-efep
1
url VCID-5k8g-v79c-zkcc
vulnerability_id VCID-5k8g-v79c-zkcc
summary An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-49438
reference_id
reference_type
scores
0
value 0.14068
scoring_system epss
scoring_elements 0.94515
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-49438
1
reference_url https://github.com/advisories/GHSA-672h-6x89-76m5
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-672h-6x89-76m5
2
reference_url https://github.com/brandon-t-elliott/CVE-2023-49438
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/brandon-t-elliott/CVE-2023-49438
3
reference_url https://github.com/Flask-Middleware/flask-security
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Flask-Middleware/flask-security
4
reference_url https://github.com/Flask-Middleware/flask-security/commit/8b5abc4d4db9926a3d76b34b8b03255effb5e712
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Flask-Middleware/flask-security/commit/8b5abc4d4db9926a3d76b34b8b03255effb5e712
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2023-248.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2023-248.yaml
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM/
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM/
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-49438
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-49438
fixed_packages
0
url pkg:pypi/flask-security-too@5.3.3
purl pkg:pypi/flask-security-too@5.3.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-security-too@5.3.3
aliases CVE-2023-49438, GHSA-672h-6x89-76m5, PYSEC-2023-248
risk_score 2.8
exploitability 0.5
weighted_severity 5.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5k8g-v79c-zkcc
2
url VCID-tze5-wkqj-8fdh
vulnerability_id VCID-tze5-wkqj-8fdh
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32618
reference_id
reference_type
scores
0
value 0.17067
scoring_system epss
scoring_elements 0.95143
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32618
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/Flask-Middleware/flask-security
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/Flask-Middleware/flask-security
3
reference_url https://github.com/Flask-Middleware/flask-security/commit/e39bb04615050448c1b8ba4caa7dacc0edd3e405
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/Flask-Middleware/flask-security/commit/e39bb04615050448c1b8ba4caa7dacc0edd3e405
4
reference_url https://github.com/Flask-Middleware/flask-security/issues/486
reference_id
reference_type
scores
url https://github.com/Flask-Middleware/flask-security/issues/486
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2021-123.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2021-123.yaml
6
reference_url https://web.archive.org/web/20210517211717/https://github.com/Flask-Middleware/flask-security/issues/486
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210517211717/https://github.com/Flask-Middleware/flask-security/issues/486
7
reference_url https://web.archive.org/web/20211207121851/https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20211207121851/https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
8
reference_url https://web.archive.org/web/20220410062740/https://github.com/Flask-Middleware/flask-security/pull/489
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20220410062740/https://github.com/Flask-Middleware/flask-security/pull/489
9
reference_url https://security.archlinux.org/AVG-1965
reference_id AVG-1965
reference_type
scores
0
value Low
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1965
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32618
reference_id CVE-2021-32618
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32618
11
reference_url https://github.com/advisories/GHSA-6qmf-fj6m-686c
reference_id GHSA-6qmf-fj6m-686c
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6qmf-fj6m-686c
fixed_packages
0
url pkg:pypi/flask-security-too@4.1.0
purl pkg:pypi/flask-security-too@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5k8g-v79c-zkcc
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-security-too@4.1.0
aliases CVE-2021-32618, GHSA-6qmf-fj6m-686c, PYSEC-2021-123
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tze5-wkqj-8fdh
Fixing_vulnerabilities
Risk_score2.8
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/flask-security-too@3.2.0