Pgaspar

**Name of the Vulnerable Software and Affected Versions** Flask-AppBuilder versions prior to 4.1.3 **Description** An authenticated Admin user could query other users by their salted and hashed passwords strings, using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue is specific to the `AUTH DB` database authentication option. **Recommendations** For versions prior to 4.1.3, upgrade to version 4.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the user query functionality to minimize the risk of exploitation. Avoid using the `AUTH DB` database authentication option until the issue is resolved.