{"id":"CVE-2021-21241","details":"The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to \"0\" (seconds) which should make the token unusable.","aliases":["GHSA-hh7m-rx4f-4vpv","PYSEC-2021-91"],"modified":"2026-03-15T22:38:58.440232Z","published":"2021-01-11T21:15:13.377Z","related":["GHSA-hh7m-rx4f-4vpv","SUSE-SU-2022:3093-1","openSUSE-SU-2024:13561-1","openSUSE-SU-2024:14555-1"],"references":[{"type":"ADVISORY","url":"https://github.com/Flask-Middleware/flask-security/releases/tag/3.4.5"},{"type":"ADVISORY","url":"https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv"},{"type":"FIX","url":"https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f"},{"type":"FIX","url":"https://github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542a"},{"type":"FIX","url":"https://github.com/Flask-Middleware/flask-security/pull/422"},{"type":"PACKAGE","url":"https://pypi.org/project/Flask-Security-Too"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"3.3.0"},{"fixed":"3.4.5"}]},{"events":[{"introduced":"0"},{"fixed":"3.4.5"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21241.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"}]}