flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XDogukanurker Flaskblog
APPDogukanurker≤ 2.8.0
Related vulnerabilities
Nieprawidłowa kontrola dostępu w FlaskBlog — ujawnienie nazw użytkowników
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation...
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" onl...
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of...
flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent wh...