Impact
If using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability
Patches
Install Flask-AppBuilder 3.2.2 or above
Workarounds
Filter HTTP traffic containing ?next={next-site} where the next-site domain is different from the application you are protecting
References
https://cwe.mitre.org/data/definitions/601.html
For more information
If you have any questions or comments about this advisory:
Impact
If using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability
Patches
Install Flask-AppBuilder 3.2.2 or above
Workarounds
Filter HTTP traffic containing
?next={next-site}where thenext-sitedomain is different from the application you are protectingReferences
https://cwe.mitre.org/data/definitions/601.html
For more information
If you have any questions or comments about this advisory: