Brandon T. Elliott

**Name of the Vulnerable Software and Affected Versions** Flask-Security-Too versions <=5.3.2 **Description** The issue is related to an open redirect vulnerability that allows attackers to redirect users to malicious sites via a crafted URL by abusing the `next` parameter on the "/login" and "/register" routes. This is possible due to the way the package validates URLs specified within the `next` parameter, which can be bypassed. The vulnerability is further complicated by how web browsers normalize slashes in URLs, making the package vulnerable through version <=5.3.2. Additionally, the use of Werkzeug >=2.1.0 may impact applications that were previously not affected, as the autocorrect location header configuration was changed to False, making location headers in redirects relative by default. **Recommendations** For Flask-Security-Too versions <=5.3.2, update to a version greater than 5.3.2 to resolve the issue. As a temporary workaround, consider restricting access to the `/login` and `/register` routes to minimize the risk of exploitation. Avoid using the `next` parameter in the affected API endpoints until the issue is resolved.