This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as /////evil.com/path or \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: snyk
Published: 2021-07-05T10:25:11.545785Z
Updated: 2024-09-16T17:15:15.113Z
Reserved: 2021-01-08T00:00:00
Link: CVE-2021-23401
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2021-07-05T11:15:07.670
Modified: 2021-07-08T18:08:12.190
Link: CVE-2021-23401
Redhat
No data.