CVE-2021-21241

Name of the Vulnerable Software and Affected Versions: Flask-Security-Too versions 3.3.0 through 3.4.5

Description: The issue concerns the Flask-Security-Too package, which is used to add security features to Flask applications. In affected versions, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests are not protected with a CSRF token, this could allow a malicious third-party site to acquire the authentication token.

Recommendations: For versions 3.3.0 through 3.4.5, update to version 3.4.5 or 4.0.0 to resolve the issue. As a temporary workaround, if authentication tokens are not being used, set the SECURITY TOKEN MAX AGE to "0" (seconds) to make the token unusable.