{"id":"PYSEC-2021-359","details":"Flask-AppBuilder is an application development framework, built on top of Flask. In affected versions if using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability. To resolve this issue upgrade to Flask-AppBuilder 3.2.2 or above. If upgrading is infeasible users may filter HTTP traffic containing `?next={next-site}` where the `next-site` domain is different from the application you are protecting as a workaround.","aliases":["CVE-2021-32805","GHSA-624f-cqvr-3qw4"],"modified":"2023-11-08T04:06:00.588656Z","published":"2021-09-08T18:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4"},{"type":"FIX","url":"https://github.com/dpgaspar/Flask-AppBuilder/commit/6af28521589599b1dbafd6313256229ee9a4fa74"}],"affected":[{"package":{"name":"flask-appbuilder","ecosystem":"PyPI","purl":"pkg:pypi/flask-appbuilder"},"ranges":[{"type":"GIT","repo":"https://github.com/dpgaspar/Flask-AppBuilder","events":[{"introduced":"0"},{"fixed":"6af28521589599b1dbafd6313256229ee9a4fa74"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.2"}]}],"versions":["0.1.10","0.1.11","0.1.12","0.1.13","0.1.14","0.1.15","0.1.16","0.1.17","0.1.18","0.1.19","0.1.20","0.1.21","0.1.22","0.1.23","0.1.24","0.1.25","0.1.26","0.1.27","0.1.28","0.1.29","0.1.3","0.1.33","0.1.34","0.1.35","0.1.36","0.1.37","0.1.38","0.1.4","0.1.43","0.1.44","0.1.45","0.1.46","0.1.47","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.10.0","0.10.1","0.10.2","0.10.3","0.10.4","0.10.5","0.10.6","0.10.7","0.2.0","0.2.1","0.2.2","0.3.0","0.3.1","0.3.10","0.3.11","0.3.12","0.3.13","0.3.14","0.3.15","0.3.16","0.3.17","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.0","0.4.1","0.4.2","0.4.3","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.6.1","0.6.10","0.6.11","0.6.12","0.6.13","0.6.14","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.7.8","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.9.0","0.9.1","0.9.2","0.9.3","1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.1.3","1.10.0","1.11.0","1.11.1","1.12.0","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.13.0","1.13.1","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.5.0","1.6.0","1.6.1","1.6.2","1.6.3","1.7.0","1.7.1","1.8.0","1.8.1","1.9.0","1.9.1","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","2.0.0","2.1.0","2.1.1","2.1.10","2.1.11","2.1.12","2.1.13","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.2.0","2.2.0rc1","2.2.0rc2","2.2.1","2.2.1rc1","2.2.1rc2","2.2.1rc3","2.2.2","2.2.2rc1","2.2.2rc2","2.2.2rc3","2.2.3","2.2.3rc1","2.2.3rc2","2.2.3rc3","2.2.3rc4","2.2.3rc5","2.2.3rc6","2.2.4","2.2.4rc1","2.3.0","2.3.0rc1","2.3.0rc2","2.3.0rc3","2.3.0rc4","2.3.1","2.3.1rc1","2.3.2","2.3.2rc1","2.3.3","2.3.3rc1","2.3.3rc2","2.3.3rc3","2.3.4","2.3.4rc1","3.0.0","3.0.0rc1","3.0.0rc2","3.0.0rc3","3.0.0rc4","3.0.1","3.0.1rc1","3.1.0","3.1.0rc1","3.1.0rc2","3.1.0rc3","3.1.1","3.1.1rc1","3.1.1rc2","3.1.1rc3","3.2.0","3.2.0rc1","3.2.0rc2","3.2.1","3.2.1rc1","3.2.2","3.2.2rc1","3.2.3","3.2.3rc1","3.2.3rc2","3.3.0","3.3.0rc1","3.3.1","3.3.1rc1","3.3.2rc1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2021-359.yaml"}}],"schema_version":"1.7.3"}