CVE-2024-27083

MEDIUM

Flask-AppBuilder 4.1.4-4.2.1 - Cross-Site Scripting on OAuth Login Page

Title source: llm

Description

Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. This issue was introduced on 4.1.4 and patched on 4.2.1.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fqxj-46wg-9v84

Patch x_refsource_misc

https://github.com/dpgaspar/Flask-AppBuilder/commit/3d17741886e4b3c384d0570de69689e4117aa812

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0057

EPSS Percentile 42.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

dpgaspar/flask-appbuilder 4.1.4 - 4.2.1

pypi/Flask-AppBuilder 4.1.4 - 4.2.1PyPI

Published Feb 29, 2024

Tracked Since Feb 18, 2026