{"id":"PYSEC-2021-91","details":"The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to \"0\" (seconds) which should make the token unusable.","aliases":["CVE-2021-21241","GHSA-hh7m-rx4f-4vpv"],"modified":"2023-11-08T04:04:39.251638Z","published":"2021-01-11T21:15:00Z","references":[{"type":"WEB","url":"https://github.com/Flask-Middleware/flask-security/releases/tag/3.4.5"},{"type":"PACKAGE","url":"https://pypi.org/project/Flask-Security-Too"},{"type":"FIX","url":"https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f"},{"type":"ADVISORY","url":"https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv"},{"type":"WEB","url":"https://github.com/Flask-Middleware/flask-security/pull/422"},{"type":"FIX","url":"https://github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542a"}],"affected":[{"package":{"name":"flask-security-too","ecosystem":"PyPI","purl":"pkg:pypi/flask-security-too"},"ranges":[{"type":"GIT","repo":"https://github.com/Flask-Middleware/flask-security","events":[{"introduced":"0"},{"fixed":"61d313150b5f620d0b800896c4f2199005e84b1f"},{"fixed":"6d50ee9169acf813257c37b75babe9c28e83542a"}]},{"type":"ECOSYSTEM","events":[{"introduced":"3.3.0"},{"fixed":"3.4.5"}]}],"versions":["3.3.0","3.3.1","3.3.2","3.3.3","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/flask-security-too/PYSEC-2021-91.yaml"}}],"schema_version":"1.7.3"}