CVE-2024-27083

EPSS 0.63%
Veröffentlicht 29.02.2024 01:44:19
Zuletzt bearbeitet 01.04.2025 15:22:28
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. This issue was introduced on 4.1.4 and patched on 4.2.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dpgaspar ≫ Flask-appbuilder Version >= 4.1.4 < 4.2.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.63%	0.695

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/dpgaspar/Flask-AppBuilder/commit/3d17741886e4b3c384d0570de69689e4117aa812

Patch

https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fqxj-46wg-9v84

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-27083

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27083

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27083

EUVD