CVE-2024-27083 MEDIUM

CVE-2024-27083: Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)

Vendor Dpgaspar
Product Flask-AppBuilder
Weakness CWE-79 · XSS
Published February 28, 2024
Last update August 8, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. This issue was introduced on 4.1.4 and patched on 4.2.1.

Key dates

02Disclosure timeline

February 28, 2024 CVE published
August 8, 2024 Record updated