#VU67028 Cross-site request forgery in Flask-Security - CVE-2021-21241

Cybersecurity Help s.r.o.

Published: 2022-09-06

Vulnerability identifier: #VU67028

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-21241

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Flask-Security
Web applications / Modules and components for CMS

Vendor: Flask-Middleware

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website and obtain authentication token.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Flask-Security: 3.3.0 - 3.4.4

External links
https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f
https://github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542a
https://github.com/Flask-Middleware/flask-security/pull/422
https://github.com/Flask-Middleware/flask-security/releases/tag/3.4.5
https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for python-Flask-Security-Too

Arch Linux update for python-flask-security-too

CSRF in Flask-Security Python package