{"id":"GHSA-fxq4-r6mr-9x64","summary":"CSRF Vuln can expose user's QRcode","details":"### Impact\nWhen a user is setting up two-factor authentication using an authenticator app, a QRcode is generated and made available via a GET request to /tf-qrcode. Since GETs do not have any CSRF protection, it is possible a malicious 3rd party could access the QRcode and therefore gain access to two-factor authentication codes. Note that the /tf-qrcode endpoint is ONLY accessible while the user is initially setting up their device. Once setup is complete, there is no vulnerability.\n\n### Patches\nThis is fixed in the upcoming 4.0.0 release.\n\n### Workarounds\nYou can provide your own URL for fetching the QRcode by defining SECURITY_TWO_FACTOR_QRCODE_URL and providing your own implementation (that presumably required a POST with CSRF protection). This would require changing the two-factor setup template as well.\n\n### References\nNone.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Read this pull request: #423","modified":"2024-12-02T05:34:30.141378Z","published":"2021-04-08T16:46:00Z","database_specific":{"severity":"LOW","github_reviewed":true,"nvd_published_at":null,"cwe_ids":["CWE-352"],"github_reviewed_at":"2021-04-08T16:45:47Z"},"references":[{"type":"WEB","url":"https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-fxq4-r6mr-9x64"},{"type":"WEB","url":"https://pypi.org/project/Flask-Security-Too"}],"affected":[{"package":{"name":"flask-security-too","ecosystem":"PyPI","purl":"pkg:pypi/flask-security-too"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2.0"},{"fixed":"3.4.5"}]}],"versions":["3.2.0","3.3.0","3.3.0rc1","3.3.0rc2","3.3.0rc3","3.3.1","3.3.2","3.3.3","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-fxq4-r6mr-9x64/GHSA-fxq4-r6mr-9x64.json"}}],"schema_version":"1.7.3"}