flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
The flask-boilerplate application does not define the SERVER_NAME variable, so when generating a password reset link, it relies solely on the value of the HTTP Host header provided in the request. The attacker initiates a password reset request for a selected account while replacing the Host header with an address of a server under their control. As a result, the victim receives an email with a link leading to the attacker's server, which can intercept the password reset token (CWE-640: Weak Password Recovery Mechanism for Forgotten Password).
An attacker can take full control of any user account by intercepting the password reset token, thereby gaining access to their data and permissions in the application.
The SERVER_NAME variable should be configured in the Flask application settings to prevent link generation from relying on the Host HTTP header. Patches available from the vendor should be applied according to the references.
flask-boilerplate in versions up to and including a170e7c (commit a170e7c in the MaxHalford/flask-boilerplate repository)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H